"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> I am running a SBS 2003 server.  At exactly 3:27 AM every morning, some
> process is trying to send out mail both to me and others.  The lsit of
others
> is always the same and I am thinking that some email came in with soem
> infection attached.  I don't know any of the other addressees.  I say
> "trying" because I have actually blocked anything from going out by
setting
> up some rules in my Trend Client Server Messaging Suite SMB and that rule
was
> set up to delete the three mails that occur at 3:27 AM, which it now does
> very nicely.  But I have been trying to eradicate the source of the
problem.
> I did the standard things I know to do.  I ran a complete virus check of
all
> of the client machines.  I ran a virus check of all of the volumes on my
> server.  I turned off all of the clients so none of them were running at
the
> witching hour.  I read logs.  I looked for strange processes running on
the
> server.  I looked for unexpected scheduled events.  So far I have found
> nothing that has lead me to be able to eradicate the problem.  I am now
> fairly conviced (though not positive) that the rogue process is actually
not
> on a workstation, but in fact on the server itself, which makes me kind of
> nervous.  I wonder if anyone out there (including someone at Microsoft)
has a
> suggestion as to the best way to lay a trap for this racal and figure out
how
> to eradicate it.  Any good ideas out there?
>
> I really would appreciate any help I can get.
>
> Thanks,
>
> Rich

"Pegasus (MVP)" wrote:

>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > I am running a SBS 2003 server.  At exactly 3:27 AM every morning, some
> > process is trying to send out mail both to me and others.  The lsit of
> others
> > is always the same and I am thinking that some email came in with soem
> > infection attached.  I don't know any of the other addressees.  I say
> > "trying" because I have actually blocked anything from going out by
> setting
> > up some rules in my Trend Client Server Messaging Suite SMB and that rule
> was
> > set up to delete the three mails that occur at 3:27 AM, which it now does
> > very nicely.  But I have been trying to eradicate the source of the
> problem.
> > I did the standard things I know to do.  I ran a complete virus check of
> all
> > of the client machines.  I ran a virus check of all of the volumes on my
> > server.  I turned off all of the clients so none of them were running at
> the
> > witching hour.  I read logs.  I looked for strange processes running on
> the
> > server.  I looked for unexpected scheduled events.  So far I have found
> > nothing that has lead me to be able to eradicate the problem.  I am now
> > fairly conviced (though not positive) that the rogue process is actually
> not
> > on a workstation, but in fact on the server itself, which makes me kind of
> > nervous.  I wonder if anyone out there (including someone at Microsoft)
> has a
> > suggestion as to the best way to lay a trap for this racal and figure out
> how
> > to eradicate it.  Any good ideas out there?
> >
> > I really would appreciate any help I can get.
> >
> > Thanks,
> >
> > Rich
>
> Check all your .bat and .cmd files. Chances are that one of them
> uses a Command Line mailer.
>
>
>

"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> Dear Pegaus-
>
> Thanks for replying.  I wish that was it.  I had checked the .bat files
> already, but forgot about the .cmd files.  So after your suggestion I
looked
> through all the .bat and .cmd files.  None of them looked to be the
culprit.
> That was a good thought though.  Any other wisdom?
>
> "Pegasus (MVP)" wrote:
>
> >
> > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > I am running a SBS 2003 server.  At exactly 3:27 AM every morning,
some
> > > process is trying to send out mail both to me and others.  The lsit of
> > others
> > > is always the same and I am thinking that some email came in with soem
> > > infection attached.  I don't know any of the other addressees.  I say
> > > "trying" because I have actually blocked anything from going out by
> > setting
> > > up some rules in my Trend Client Server Messaging Suite SMB and that
rule
> > was
> > > set up to delete the three mails that occur at 3:27 AM, which it now
does
> > > very nicely.  But I have been trying to eradicate the source of the
> > problem.
> > > I did the standard things I know to do.  I ran a complete virus check
of
> > all
> > > of the client machines.  I ran a virus check of all of the volumes on
my
> > > server.  I turned off all of the clients so none of them were running
at
> > the
> > > witching hour.  I read logs.  I looked for strange processes running
on
> > the
> > > server.  I looked for unexpected scheduled events.  So far I have
found
> > > nothing that has lead me to be able to eradicate the problem.  I am
now
> > > fairly conviced (though not positive) that the rogue process is
actually
> > not
> > > on a workstation, but in fact on the server itself, which makes me
kind of
> > > nervous.  I wonder if anyone out there (including someone at
Microsoft)
> > has a
> > > suggestion as to the best way to lay a trap for this racal and figure
out
> > how
> > > to eradicate it.  Any good ideas out there?
> > >
> > > I really would appreciate any help I can get.
> > >
> > > Thanks,
> > >
> > > Rich
> >
> > Check all your .bat and .cmd files. Chances are that one of them
> > uses a Command Line mailer.
> >
> >
> >

"Pegasus (MVP)" wrote:

> Since the mail is always sent at 3:27, I would create a task that
> runs at 3:26 and takes a snapshot of all running processes,
> perhaps something like this:
>
> @echo off
> for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log & ping
> localhost -n 1)
>
> This would give you 120 task list files that you can examine for
> the command line mailer used. Once you know its name, you
> can start tracking it down.
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > Dear Pegaus-
> >
> > Thanks for replying.  I wish that was it.  I had checked the .bat files
> > already, but forgot about the .cmd files.  So after your suggestion I
> looked
> > through all the .bat and .cmd files.  None of them looked to be the
> culprit.
> > That was a good thought though.  Any other wisdom?
> >
> > "Pegasus (MVP)" wrote:
> >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > I am running a SBS 2003 server.  At exactly 3:27 AM every morning,
> some
> > > > process is trying to send out mail both to me and others.  The lsit of
> > > others
> > > > is always the same and I am thinking that some email came in with soem
> > > > infection attached.  I don't know any of the other addressees.  I say
> > > > "trying" because I have actually blocked anything from going out by
> > > setting
> > > > up some rules in my Trend Client Server Messaging Suite SMB and that
> rule
> > > was
> > > > set up to delete the three mails that occur at 3:27 AM, which it now
> does
> > > > very nicely.  But I have been trying to eradicate the source of the
> > > problem.
> > > > I did the standard things I know to do.  I ran a complete virus check
> of
> > > all
> > > > of the client machines.  I ran a virus check of all of the volumes on
> my
> > > > server.  I turned off all of the clients so none of them were running
> at
> > > the
> > > > witching hour.  I read logs.  I looked for strange processes running
> on
> > > the
> > > > server.  I looked for unexpected scheduled events.  So far I have
> found
> > > > nothing that has lead me to be able to eradicate the problem.  I am
> now
> > > > fairly conviced (though not positive) that the rogue process is
> actually
> > > not
> > > > on a workstation, but in fact on the server itself, which makes me
> kind of
> > > > nervous.  I wonder if anyone out there (including someone at
> Microsoft)
> > > has a
> > > > suggestion as to the best way to lay a trap for this racal and figure
> out
> > > how
> > > > to eradicate it.  Any good ideas out there?
> > > >
> > > > I really would appreciate any help I can get.
> > > >
> > > > Thanks,
> > > >
> > > > Rich
> > >
> > > Check all your .bat and .cmd files. Chances are that one of them
> > > uses a Command Line mailer.
> > >
> > >
> > >
>
>
>

"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> Dear Pegasus:
>
> OK.  I created a batch file with your source code in it and am kicking it
> off with the task shceduler.  I'll let you know what it tells me.
>
> Thanks again.
>
> Rich
>
> "Pegasus (MVP)" wrote:
>
> > Since the mail is always sent at 3:27, I would create a task that
> > runs at 3:26 and takes a snapshot of all running processes,
> > perhaps something like this:
> >
> > @echo off
> > for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log & ping
> > localhost -n 1)
> >
> > This would give you 120 task list files that you can examine for
> > the command line mailer used. Once you know its name, you
> > can start tracking it down.
> >
> >
> > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > Dear Pegaus-
> > >
> > > Thanks for replying.  I wish that was it.  I had checked the .bat
files
> > > already, but forgot about the .cmd files.  So after your suggestion I
> > looked
> > > through all the .bat and .cmd files.  None of them looked to be the
> > culprit.
> > > That was a good thought though.  Any other wisdom?
> > >
> > > "Pegasus (MVP)" wrote:
> > >
> > > >
> > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
message
> > > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > I am running a SBS 2003 server.  At exactly 3:27 AM every morning,
> > some
> > > > > process is trying to send out mail both to me and others.  The
lsit of
> > > > others
> > > > > is always the same and I am thinking that some email came in with
soem
> > > > > infection attached.  I don't know any of the other addressees.  I
say
> > > > > "trying" because I have actually blocked anything from going out
by
> > > > setting
> > > > > up some rules in my Trend Client Server Messaging Suite SMB and
that
> > rule
> > > > was
> > > > > set up to delete the three mails that occur at 3:27 AM, which it
now
> > does
> > > > > very nicely.  But I have been trying to eradicate the source of
the
> > > > problem.
> > > > > I did the standard things I know to do.  I ran a complete virus
check
> > of
> > > > all
> > > > > of the client machines.  I ran a virus check of all of the volumes
on
> > my
> > > > > server.  I turned off all of the clients so none of them were
running
> > at
> > > > the
> > > > > witching hour.  I read logs.  I looked for strange processes
running
> > on
> > > > the
> > > > > server.  I looked for unexpected scheduled events.  So far I have
> > found
> > > > > nothing that has lead me to be able to eradicate the problem.  I
am
> > now
> > > > > fairly conviced (though not positive) that the rogue process is
> > actually
> > > > not
> > > > > on a workstation, but in fact on the server itself, which makes me
> > kind of
> > > > > nervous.  I wonder if anyone out there (including someone at
> > Microsoft)
> > > > has a
> > > > > suggestion as to the best way to lay a trap for this racal and
figure
> > out
> > > > how
> > > > > to eradicate it.  Any good ideas out there?
> > > > >
> > > > > I really would appreciate any help I can get.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Rich
> > > >
> > > > Check all your .bat and .cmd files. Chances are that one of them
> > > > uses a Command Line mailer.
> > > >
> > > >
> > > >
> >
> >
> >

"Pegasus (MVP)" wrote:

> I trust you made sure that pulist.exe resides where my
> batch file expects it. I also recommend that you invoke
> that batch file manually at least once, for testing purposes.
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > Dear Pegasus:
> >
> > OK.  I created a batch file with your source code in it and am kicking it
> > off with the task shceduler.  I'll let you know what it tells me.
> >
> > Thanks again.
> >
> > Rich
> >
> > "Pegasus (MVP)" wrote:
> >
> > > Since the mail is always sent at 3:27, I would create a task that
> > > runs at 3:26 and takes a snapshot of all running processes,
> > > perhaps something like this:
> > >
> > > @echo off
> > > for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log & ping
> > > localhost -n 1)
> > >
> > > This would give you 120 task list files that you can examine for
> > > the command line mailer used. Once you know its name, you
> > > can start tracking it down.
> > >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > Dear Pegaus-
> > > >
> > > > Thanks for replying.  I wish that was it.  I had checked the .bat
> files
> > > > already, but forgot about the .cmd files.  So after your suggestion I
> > > looked
> > > > through all the .bat and .cmd files.  None of them looked to be the
> > > culprit.
> > > > That was a good thought though.  Any other wisdom?
> > > >
> > > > "Pegasus (MVP)" wrote:
> > > >
> > > > >
> > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> message
> > > > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM every morning,
> > > some
> > > > > > process is trying to send out mail both to me and others.  The
> lsit of
> > > > > others
> > > > > > is always the same and I am thinking that some email came in with
> soem
> > > > > > infection attached.  I don't know any of the other addressees.  I
> say
> > > > > > "trying" because I have actually blocked anything from going out
> by
> > > > > setting
> > > > > > up some rules in my Trend Client Server Messaging Suite SMB and
> that
> > > rule
> > > > > was
> > > > > > set up to delete the three mails that occur at 3:27 AM, which it
> now
> > > does
> > > > > > very nicely.  But I have been trying to eradicate the source of
> the
> > > > > problem.
> > > > > > I did the standard things I know to do.  I ran a complete virus
> check
> > > of
> > > > > all
> > > > > > of the client machines.  I ran a virus check of all of the volumes
> on
> > > my
> > > > > > server.  I turned off all of the clients so none of them were
> running
> > > at
> > > > > the
> > > > > > witching hour.  I read logs.  I looked for strange processes
> running
> > > on
> > > > > the
> > > > > > server.  I looked for unexpected scheduled events.  So far I have
> > > found
> > > > > > nothing that has lead me to be able to eradicate the problem.  I
> am
> > > now
> > > > > > fairly conviced (though not positive) that the rogue process is
> > > actually
> > > > > not
> > > > > > on a workstation, but in fact on the server itself, which makes me
> > > kind of
> > > > > > nervous.  I wonder if anyone out there (including someone at
> > > Microsoft)
> > > > > has a
> > > > > > suggestion as to the best way to lay a trap for this racal and
> figure
> > > out
> > > > > how
> > > > > > to eradicate it.  Any good ideas out there?
> > > > > >
> > > > > > I really would appreciate any help I can get.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Rich
> > > > >
> > > > > Check all your .bat and .cmd files. Chances are that one of them
> > > > > uses a Command Line mailer.
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> Dear Pegasus:
>
> Your intuition was right.  It is a good thing you suggested that.  The
batch
> file didn't work for a couple of reasons.  I shouldhave checked it more
> closely.  But now it seems to work fine.  Here is what I did to make it
work.
>  First, the thing went way too fast.  120 samples was done way too quickly
so
> I bumped the number up to 1200.  That is a lot to look through, but I
guess I
> can figure out how to compare the files to see what is different between
> them.  Not a heck of a lot will be happening between 3:26 and 3:27 AM.
The
> second thing I had to adjust was the syntax.  There was a couple of quotes
> missing in the commands. so I fixed that.  The defaut location of the
pulist
> was changed to where Windows puts it.  So the new batch file looks
something
> like this:
>
> @echo off
> for /L %%a in (1,1,1200) do ("c:\program files\resource kit\pulist" >
> c:\crap\tasks%%a.log & ping localhost -n 1)
>
> It seems to work fine, so tonight I will see if the task scheduler does
its
> thing and traps the nasty task.
>
> Again, I really appreicate your suggestiosn and help.
>
> Thanks,
>
> Rich
>
> "Pegasus (MVP)" wrote:
>
> > I trust you made sure that pulist.exe resides where my
> > batch file expects it. I also recommend that you invoke
> > that batch file manually at least once, for testing purposes.
> >
> >
> > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > Dear Pegasus:
> > >
> > > OK.  I created a batch file with your source code in it and am kicking
it
> > > off with the task shceduler.  I'll let you know what it tells me.
> > >
> > > Thanks again.
> > >
> > > Rich
> > >
> > > "Pegasus (MVP)" wrote:
> > >
> > > > Since the mail is always sent at 3:27, I would create a task that
> > > > runs at 3:26 and takes a snapshot of all running processes,
> > > > perhaps something like this:
> > > >
> > > > @echo off
> > > > for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log & ping
> > > > localhost -n 1)
> > > >
> > > > This would give you 120 task list files that you can examine for
> > > > the command line mailer used. Once you know its name, you
> > > > can start tracking it down.
> > > >
> > > >
> > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
message
> > > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > Dear Pegaus-
> > > > >
> > > > > Thanks for replying.  I wish that was it.  I had checked the .bat
> > files
> > > > > already, but forgot about the .cmd files.  So after your
suggestion I
> > > > looked
> > > > > through all the .bat and .cmd files.  None of them looked to be
the
> > > > culprit.
> > > > > That was a good thought though.  Any other wisdom?
> > > > >
> > > > > "Pegasus (MVP)" wrote:
> > > > >
> > > > > >
> > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > message
> > > > > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM every
morning,
> > > > some
> > > > > > > process is trying to send out mail both to me and others.  The
> > lsit of
> > > > > > others
> > > > > > > is always the same and I am thinking that some email came in
with
> > soem
> > > > > > > infection attached.  I don't know any of the other addressees.
I
> > say
> > > > > > > "trying" because I have actually blocked anything from going
out
> > by
> > > > > > setting
> > > > > > > up some rules in my Trend Client Server Messaging Suite SMB
and
> > that
> > > > rule
> > > > > > was
> > > > > > > set up to delete the three mails that occur at 3:27 AM, which
it
> > now
> > > > does
> > > > > > > very nicely.  But I have been trying to eradicate the source
of
> > the
> > > > > > problem.
> > > > > > > I did the standard things I know to do.  I ran a complete
virus
> > check
> > > > of
> > > > > > all
> > > > > > > of the client machines.  I ran a virus check of all of the
volumes
> > on
> > > > my
> > > > > > > server.  I turned off all of the clients so none of them were
> > running
> > > > at
> > > > > > the
> > > > > > > witching hour.  I read logs.  I looked for strange processes
> > running
> > > > on
> > > > > > the
> > > > > > > server.  I looked for unexpected scheduled events.  So far I
have
> > > > found
> > > > > > > nothing that has lead me to be able to eradicate the problem.
I
> > am
> > > > now
> > > > > > > fairly conviced (though not positive) that the rogue process
is
> > > > actually
> > > > > > not
> > > > > > > on a workstation, but in fact on the server itself, which
makes me
> > > > kind of
> > > > > > > nervous.  I wonder if anyone out there (including someone at
> > > > Microsoft)
> > > > > > has a
> > > > > > > suggestion as to the best way to lay a trap for this racal and
> > figure
> > > > out
> > > > > > how
> > > > > > > to eradicate it.  Any good ideas out there?
> > > > > > >
> > > > > > > I really would appreciate any help I can get.
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Rich
> > > > > >
> > > > > > Check all your .bat and .cmd files. Chances are that one of them
> > > > > > uses a Command Line mailer.
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >

"Pegasus (MVP)" wrote:

> Sorry, I made a mistake. Change the command to
> ping localhost -n 2
> in order to introduce a delay of about one second,
> then reduce the loop number back to 120.
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > Dear Pegasus:
> >
> > Your intuition was right.  It is a good thing you suggested that.  The
> batch
> > file didn't work for a couple of reasons.  I shouldhave checked it more
> > closely.  But now it seems to work fine.  Here is what I did to make it
> work.
> >  First, the thing went way too fast.  120 samples was done way too quickly
> so
> > I bumped the number up to 1200.  That is a lot to look through, but I
> guess I
> > can figure out how to compare the files to see what is different between
> > them.  Not a heck of a lot will be happening between 3:26 and 3:27 AM.
> The
> > second thing I had to adjust was the syntax.  There was a couple of quotes
> > missing in the commands. so I fixed that.  The defaut location of the
> pulist
> > was changed to where Windows puts it.  So the new batch file looks
> something
> > like this:
> >
> > @echo off
> > for /L %%a in (1,1,1200) do ("c:\program files\resource kit\pulist" >
> > c:\crap\tasks%%a.log & ping localhost -n 1)
> >
> > It seems to work fine, so tonight I will see if the task scheduler does
> its
> > thing and traps the nasty task.
> >
> > Again, I really appreicate your suggestiosn and help.
> >
> > Thanks,
> >
> > Rich
> >
> > "Pegasus (MVP)" wrote:
> >
> > > I trust you made sure that pulist.exe resides where my
> > > batch file expects it. I also recommend that you invoke
> > > that batch file manually at least once, for testing purposes.
> > >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > Dear Pegasus:
> > > >
> > > > OK.  I created a batch file with your source code in it and am kicking
> it
> > > > off with the task shceduler.  I'll let you know what it tells me.
> > > >
> > > > Thanks again.
> > > >
> > > > Rich
> > > >
> > > > "Pegasus (MVP)" wrote:
> > > >
> > > > > Since the mail is always sent at 3:27, I would create a task that
> > > > > runs at 3:26 and takes a snapshot of all running processes,
> > > > > perhaps something like this:
> > > > >
> > > > > @echo off
> > > > > for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log & ping
> > > > > localhost -n 1)
> > > > >
> > > > > This would give you 120 task list files that you can examine for
> > > > > the command line mailer used. Once you know its name, you
> > > > > can start tracking it down.
> > > > >
> > > > >
> > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> message
> > > > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > > Dear Pegaus-
> > > > > >
> > > > > > Thanks for replying.  I wish that was it.  I had checked the .bat
> > > files
> > > > > > already, but forgot about the .cmd files.  So after your
> suggestion I
> > > > > looked
> > > > > > through all the .bat and .cmd files.  None of them looked to be
> the
> > > > > culprit.
> > > > > > That was a good thought though.  Any other wisdom?
> > > > > >
> > > > > > "Pegasus (MVP)" wrote:
> > > > > >
> > > > > > >
> > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > > message
> > > > > > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM every
> morning,
> > > > > some
> > > > > > > > process is trying to send out mail both to me and others.  The
> > > lsit of
> > > > > > > others
> > > > > > > > is always the same and I am thinking that some email came in
> with
> > > soem
> > > > > > > > infection attached.  I don't know any of the other addressees.
> I
> > > say
> > > > > > > > "trying" because I have actually blocked anything from going
> out
> > > by
> > > > > > > setting
> > > > > > > > up some rules in my Trend Client Server Messaging Suite SMB
> and
> > > that
> > > > > rule
> > > > > > > was
> > > > > > > > set up to delete the three mails that occur at 3:27 AM, which
> it
> > > now
> > > > > does
> > > > > > > > very nicely.  But I have been trying to eradicate the source
> of
> > > the
> > > > > > > problem.
> > > > > > > > I did the standard things I know to do.  I ran a complete
> virus
> > > check
> > > > > of
> > > > > > > all
> > > > > > > > of the client machines.  I ran a virus check of all of the
> volumes
> > > on
> > > > > my
> > > > > > > > server.  I turned off all of the clients so none of them were
> > > running
> > > > > at
> > > > > > > the
> > > > > > > > witching hour.  I read logs.  I looked for strange processes
> > > running
> > > > > on
> > > > > > > the
> > > > > > > > server.  I looked for unexpected scheduled events.  So far I
> have
> > > > > found
> > > > > > > > nothing that has lead me to be able to eradicate the problem.
> I
> > > am
> > > > > now
> > > > > > > > fairly conviced (though not positive) that the rogue process
> is
> > > > > actually
> > > > > > > not
> > > > > > > > on a workstation, but in fact on the server itself, which
> makes me
> > > > > kind of
> > > > > > > > nervous.  I wonder if anyone out there (including someone at
> > > > > Microsoft)
> > > > > > > has a
> > > > > > > > suggestion as to the best way to lay a trap for this racal and
> > > figure
> > > > > out
> > > > > > > how
> > > > > > > > to eradicate it.  Any good ideas out there?
> > > > > > > >
> > > > > > > > I really would appreciate any help I can get.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > Rich
> > > > > > >
> > > > > > > Check all your .bat and .cmd files. Chances are that one of them
> > > > > > > uses a Command Line mailer.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> Dear Pegasus-
>
> Unfortunately I got your reply only this morning.  I weas sleeping when
the
> batch file ran at 3L26 AM.  So the procedure ran with the value of 1200
last
> night starting at 3:26 AM.  I will revise the batch file parameters and
run
> it again tonight.  I did get the 1200 files stored this morning and have
not
> had a chance yet to figure out how to analyze all of them.  They are all 3
KB
> each.  For wahtever reason, my exchange server was stopped this morning
and
> the logs indicated that it had stopped at 3:30 AM  I don't know why this
> happened either or wheter it was related to the huge job I gave tie batch
> file to do, but anyway I started the Exchage service up again and emails
are
> working fine now.
>
> Regards,
>
> Rich
>
> "Pegasus (MVP)" wrote:
>
> > Sorry, I made a mistake. Change the command to
> > ping localhost -n 2
> > in order to introduce a delay of about one second,
> > then reduce the loop number back to 120.
> >
> >
> > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > Dear Pegasus:
> > >
> > > Your intuition was right.  It is a good thing you suggested that.  The
> > batch
> > > file didn't work for a couple of reasons.  I shouldhave checked it
more
> > > closely.  But now it seems to work fine.  Here is what I did to make
it
> > work.
> > >  First, the thing went way too fast.  120 samples was done way too
quickly
> > so
> > > I bumped the number up to 1200.  That is a lot to look through, but I
> > guess I
> > > can figure out how to compare the files to see what is different
between
> > > them.  Not a heck of a lot will be happening between 3:26 and 3:27 AM.
> > The
> > > second thing I had to adjust was the syntax.  There was a couple of
quotes
> > > missing in the commands. so I fixed that.  The defaut location of the
> > pulist
> > > was changed to where Windows puts it.  So the new batch file looks
> > something
> > > like this:
> > >
> > > @echo off
> > > for /L %%a in (1,1,1200) do ("c:\program files\resource kit\pulist" >
> > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > >
> > > It seems to work fine, so tonight I will see if the task scheduler
does
> > its
> > > thing and traps the nasty task.
> > >
> > > Again, I really appreicate your suggestiosn and help.
> > >
> > > Thanks,
> > >
> > > Rich
> > >
> > > "Pegasus (MVP)" wrote:
> > >
> > > > I trust you made sure that pulist.exe resides where my
> > > > batch file expects it. I also recommend that you invoke
> > > > that batch file manually at least once, for testing purposes.
> > > >
> > > >
> > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
message
> > > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > Dear Pegasus:
> > > > >
> > > > > OK.  I created a batch file with your source code in it and am
kicking
> > it
> > > > > off with the task shceduler.  I'll let you know what it tells me.
> > > > >
> > > > > Thanks again.
> > > > >
> > > > > Rich
> > > > >
> > > > > "Pegasus (MVP)" wrote:
> > > > >
> > > > > > Since the mail is always sent at 3:27, I would create a task
that
> > > > > > runs at 3:26 and takes a snapshot of all running processes,
> > > > > > perhaps something like this:
> > > > > >
> > > > > > @echo off
> > > > > > for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log &
ping
> > > > > > localhost -n 1)
> > > > > >
> > > > > > This would give you 120 task list files that you can examine for
> > > > > > the command line mailer used. Once you know its name, you
> > > > > > can start tracking it down.
> > > > > >
> > > > > >
> > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > message
> > > > > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > > > Dear Pegaus-
> > > > > > >
> > > > > > > Thanks for replying.  I wish that was it.  I had checked the
..bat
> > > > files
> > > > > > > already, but forgot about the .cmd files.  So after your
> > suggestion I
> > > > > > looked
> > > > > > > through all the .bat and .cmd files.  None of them looked to
be
> > the
> > > > > > culprit.
> > > > > > > That was a good thought though.  Any other wisdom?
> > > > > > >
> > > > > > > "Pegasus (MVP)" wrote:
> > > > > > >
> > > > > > > >
> > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
in
> > > > message
> > > > > > > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM every
> > morning,
> > > > > > some
> > > > > > > > > process is trying to send out mail both to me and others.
The
> > > > lsit of
> > > > > > > > others
> > > > > > > > > is always the same and I am thinking that some email came
in
> > with
> > > > soem
> > > > > > > > > infection attached.  I don't know any of the other
addressees.
> > I
> > > > say
> > > > > > > > > "trying" because I have actually blocked anything from
going
> > out
> > > > by
> > > > > > > > setting
> > > > > > > > > up some rules in my Trend Client Server Messaging Suite
SMB
> > and
> > > > that
> > > > > > rule
> > > > > > > > was
> > > > > > > > > set up to delete the three mails that occur at 3:27 AM,
which
> > it
> > > > now
> > > > > > does
> > > > > > > > > very nicely.  But I have been trying to eradicate the
source
> > of
> > > > the
> > > > > > > > problem.
> > > > > > > > > I did the standard things I know to do.  I ran a complete
> > virus
> > > > check
> > > > > > of
> > > > > > > > all
> > > > > > > > > of the client machines.  I ran a virus check of all of the
> > volumes
> > > > on
> > > > > > my
> > > > > > > > > server.  I turned off all of the clients so none of them
were
> > > > running
> > > > > > at
> > > > > > > > the
> > > > > > > > > witching hour.  I read logs.  I looked for strange
processes
> > > > running
> > > > > > on
> > > > > > > > the
> > > > > > > > > server.  I looked for unexpected scheduled events.  So far
I
> > have
> > > > > > found
> > > > > > > > > nothing that has lead me to be able to eradicate the
problem.
> > I
> > > > am
> > > > > > now
> > > > > > > > > fairly conviced (though not positive) that the rogue
process
> > is
> > > > > > actually
> > > > > > > > not
> > > > > > > > > on a workstation, but in fact on the server itself, which
> > makes me
> > > > > > kind of
> > > > > > > > > nervous.  I wonder if anyone out there (including someone
at
> > > > > > Microsoft)
> > > > > > > > has a
> > > > > > > > > suggestion as to the best way to lay a trap for this racal
and
> > > > figure
> > > > > > out
> > > > > > > > how
> > > > > > > > > to eradicate it.  Any good ideas out there?
> > > > > > > > >
> > > > > > > > > I really would appreciate any help I can get.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Rich
> > > > > > > >
> > > > > > > > Check all your .bat and .cmd files. Chances are that one of
them
> > > > > > > > uses a Command Line mailer.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >

"Pegasus (MVP)" wrote:

> You can check your log files like so:
>
> Line1 @echo off
> Line2 cd /d c:\crap
> Line3 for /L %%a in (2,1,1200) do fc tasks1.log tasks%%a.log  | find /i "No
> differences" > nul || (echo File tasks%%a.log is different! & pause)
>
> This untested batch file will show the name of every log file that is
> different
> from tasks1.log.
>
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> > Dear Pegasus-
> >
> > Unfortunately I got your reply only this morning.  I weas sleeping when
> the
> > batch file ran at 3L26 AM.  So the procedure ran with the value of 1200
> last
> > night starting at 3:26 AM.  I will revise the batch file parameters and
> run
> > it again tonight.  I did get the 1200 files stored this morning and have
> not
> > had a chance yet to figure out how to analyze all of them.  They are all 3
> KB
> > each.  For wahtever reason, my exchange server was stopped this morning
> and
> > the logs indicated that it had stopped at 3:30 AM  I don't know why this
> > happened either or wheter it was related to the huge job I gave tie batch
> > file to do, but anyway I started the Exchage service up again and emails
> are
> > working fine now.
> >
> > Regards,
> >
> > Rich
> >
> > "Pegasus (MVP)" wrote:
> >
> > > Sorry, I made a mistake. Change the command to
> > > ping localhost -n 2
> > > in order to introduce a delay of about one second,
> > > then reduce the loop number back to 120.
> > >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > > Dear Pegasus:
> > > >
> > > > Your intuition was right.  It is a good thing you suggested that.  The
> > > batch
> > > > file didn't work for a couple of reasons.  I shouldhave checked it
> more
> > > > closely.  But now it seems to work fine.  Here is what I did to make
> it
> > > work.
> > > >  First, the thing went way too fast.  120 samples was done way too
> quickly
> > > so
> > > > I bumped the number up to 1200.  That is a lot to look through, but I
> > > guess I
> > > > can figure out how to compare the files to see what is different
> between
> > > > them.  Not a heck of a lot will be happening between 3:26 and 3:27 AM.
> > > The
> > > > second thing I had to adjust was the syntax.  There was a couple of
> quotes
> > > > missing in the commands. so I fixed that.  The defaut location of the
> > > pulist
> > > > was changed to where Windows puts it.  So the new batch file looks
> > > something
> > > > like this:
> > > >
> > > > @echo off
> > > > for /L %%a in (1,1,1200) do ("c:\program files\resource kit\pulist" >
> > > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > > >
> > > > It seems to work fine, so tonight I will see if the task scheduler
> does
> > > its
> > > > thing and traps the nasty task.
> > > >
> > > > Again, I really appreicate your suggestiosn and help.
> > > >
> > > > Thanks,
> > > >
> > > > Rich
> > > >
> > > > "Pegasus (MVP)" wrote:
> > > >
> > > > > I trust you made sure that pulist.exe resides where my
> > > > > batch file expects it. I also recommend that you invoke
> > > > > that batch file manually at least once, for testing purposes.
> > > > >
> > > > >
> > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> message
> > > > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > > Dear Pegasus:
> > > > > >
> > > > > > OK.  I created a batch file with your source code in it and am
> kicking
> > > it
> > > > > > off with the task shceduler.  I'll let you know what it tells me.
> > > > > >
> > > > > > Thanks again.
> > > > > >
> > > > > > Rich
> > > > > >
> > > > > > "Pegasus (MVP)" wrote:
> > > > > >
> > > > > > > Since the mail is always sent at 3:27, I would create a task
> that
> > > > > > > runs at 3:26 and takes a snapshot of all running processes,
> > > > > > > perhaps something like this:
> > > > > > >
> > > > > > > @echo off
> > > > > > > for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log &
> ping
> > > > > > > localhost -n 1)
> > > > > > >
> > > > > > > This would give you 120 task list files that you can examine for
> > > > > > > the command line mailer used. Once you know its name, you
> > > > > > > can start tracking it down.
> > > > > > >
> > > > > > >
> > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > > message
> > > > > > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > > > > Dear Pegaus-
> > > > > > > >
> > > > > > > > Thanks for replying.  I wish that was it.  I had checked the
> ..bat
> > > > > files
> > > > > > > > already, but forgot about the .cmd files.  So after your
> > > suggestion I
> > > > > > > looked
> > > > > > > > through all the .bat and .cmd files.  None of them looked to
> be
> > > the
> > > > > > > culprit.
> > > > > > > > That was a good thought though.  Any other wisdom?
> > > > > > > >
> > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > >
> > > > > > > > >
> > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
> in
> > > > > message
> > > > > > > > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM every
> > > morning,
> > > > > > > some
> > > > > > > > > > process is trying to send out mail both to me and others.
> The
> > > > > lsit of
> > > > > > > > > others
> > > > > > > > > > is always the same and I am thinking that some email came
> in
> > > with
> > > > > soem
> > > > > > > > > > infection attached.  I don't know any of the other
> addressees.
> > > I
> > > > > say
> > > > > > > > > > "trying" because I have actually blocked anything from
> going
> > > out
> > > > > by
> > > > > > > > > setting
> > > > > > > > > > up some rules in my Trend Client Server Messaging Suite
> SMB
> > > and
> > > > > that
> > > > > > > rule
> > > > > > > > > was
> > > > > > > > > > set up to delete the three mails that occur at 3:27 AM,
> which
> > > it
> > > > > now
> > > > > > > does
> > > > > > > > > > very nicely.  But I have been trying to eradicate the
> source
> > > of
> > > > > the
> > > > > > > > > problem.
> > > > > > > > > > I did the standard things I know to do.  I ran a complete
> > > virus
> > > > > check
> > > > > > > of
> > > > > > > > > all
> > > > > > > > > > of the client machines.  I ran a virus check of all of the
> > > volumes
> > > > > on
> > > > > > > my
> > > > > > > > > > server.  I turned off all of the clients so none of them
> were
> > > > > running
> > > > > > > at
> > > > > > > > > the
> > > > > > > > > > witching hour.  I read logs.  I looked for strange
> processes
> > > > > running
> > > > > > > on
> > > > > > > > > the
> > > > > > > > > > server.  I looked for unexpected scheduled events.  So far
> I
> > > have
> > > > > > > found
> > > > > > > > > > nothing that has lead me to be able to eradicate the
> problem.
> > > I
> > > > > am
> > > > > > > now
> > > > > > > > > > fairly conviced (though not positive) that the rogue
> process
> > > is
> > > > > > > actually
> > > > > > > > > not
> > > > > > > > > > on a workstation, but in fact on the server itself, which
> > > makes me
> > > > > > > kind of
> > > > > > > > > > nervous.  I wonder if anyone out there (including someone
> at
> > > > > > > Microsoft)
> > > > > > > > > has a
> > > > > > > > > > suggestion as to the best way to lay a trap for this racal
> and
> > > > > figure
> > > > > > > out
> > > > > > > > > how
> > > > > > > > > > to eradicate it.  Any good ideas out there?
> > > > > > > > > >
> > > > > > > > > > I really would appreciate any help I can get.
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > >
> > > > > > > > > > Rich
> > > > > > > > >
> > > > > > > > > Check all your .bat and .cmd files. Chances are that one of
> them
> > > > > > > > > uses a Command Line mailer.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

"Rich Farkas" wrote:

> Dear Pegasus:
>
> That is a great idea.  I will run and debug that batch file you provided and
> see if it yields anything for this trial run of 1200 files.  I also will
> re-run the origianl test program you provided; modified for the longer delay
> and only 120 samples tonight too.  SO I have some work to do.  I will get
> back to you wth my findings.
>
> Thanks,
>
> Rich
>
> "Pegasus (MVP)" wrote:
>
> > You can check your log files like so:
> >
> > Line1 @echo off
> > Line2 cd /d c:\crap
> > Line3 for /L %%a in (2,1,1200) do fc tasks1.log tasks%%a.log  | find /i "No
> > differences" > nul || (echo File tasks%%a.log is different! & pause)
> >
> > This untested batch file will show the name of every log file that is
> > different
> > from tasks1.log.
> >
> >
> >
> > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> > > Dear Pegasus-
> > >
> > > Unfortunately I got your reply only this morning.  I weas sleeping when
> > the
> > > batch file ran at 3L26 AM.  So the procedure ran with the value of 1200
> > last
> > > night starting at 3:26 AM.  I will revise the batch file parameters and
> > run
> > > it again tonight.  I did get the 1200 files stored this morning and have
> > not
> > > had a chance yet to figure out how to analyze all of them.  They are all 3
> > KB
> > > each.  For wahtever reason, my exchange server was stopped this morning
> > and
> > > the logs indicated that it had stopped at 3:30 AM  I don't know why this
> > > happened either or wheter it was related to the huge job I gave tie batch
> > > file to do, but anyway I started the Exchage service up again and emails
> > are
> > > working fine now.
> > >
> > > Regards,
> > >
> > > Rich
> > >
> > > "Pegasus (MVP)" wrote:
> > >
> > > > Sorry, I made a mistake. Change the command to
> > > > ping localhost -n 2
> > > > in order to introduce a delay of about one second,
> > > > then reduce the loop number back to 120.
> > > >
> > > >
> > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > > > Dear Pegasus:
> > > > >
> > > > > Your intuition was right.  It is a good thing you suggested that.  The
> > > > batch
> > > > > file didn't work for a couple of reasons.  I shouldhave checked it
> > more
> > > > > closely.  But now it seems to work fine.  Here is what I did to make
> > it
> > > > work.
> > > > >  First, the thing went way too fast.  120 samples was done way too
> > quickly
> > > > so
> > > > > I bumped the number up to 1200.  That is a lot to look through, but I
> > > > guess I
> > > > > can figure out how to compare the files to see what is different
> > between
> > > > > them.  Not a heck of a lot will be happening between 3:26 and 3:27 AM.
> > > > The
> > > > > second thing I had to adjust was the syntax.  There was a couple of
> > quotes
> > > > > missing in the commands. so I fixed that.  The defaut location of the
> > > > pulist
> > > > > was changed to where Windows puts it.  So the new batch file looks
> > > > something
> > > > > like this:
> > > > >
> > > > > @echo off
> > > > > for /L %%a in (1,1,1200) do ("c:\program files\resource kit\pulist" >
> > > > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > > > >
> > > > > It seems to work fine, so tonight I will see if the task scheduler
> > does
> > > > its
> > > > > thing and traps the nasty task.
> > > > >
> > > > > Again, I really appreicate your suggestiosn and help.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Rich
> > > > >
> > > > > "Pegasus (MVP)" wrote:
> > > > >
> > > > > > I trust you made sure that pulist.exe resides where my
> > > > > > batch file expects it. I also recommend that you invoke
> > > > > > that batch file manually at least once, for testing purposes.
> > > > > >
> > > > > >
> > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > message
> > > > > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > > > Dear Pegasus:
> > > > > > >
> > > > > > > OK.  I created a batch file with your source code in it and am
> > kicking
> > > > it
> > > > > > > off with the task shceduler.  I'll let you know what it tells me.
> > > > > > >
> > > > > > > Thanks again.
> > > > > > >
> > > > > > > Rich
> > > > > > >
> > > > > > > "Pegasus (MVP)" wrote:
> > > > > > >
> > > > > > > > Since the mail is always sent at 3:27, I would create a task
> > that
> > > > > > > > runs at 3:26 and takes a snapshot of all running processes,
> > > > > > > > perhaps something like this:
> > > > > > > >
> > > > > > > > @echo off
> > > > > > > > for /L %%a in (1,1,120) do (c:\tools\pulist > c:\tasks%%a.log &
> > ping
> > > > > > > > localhost -n 1)
> > > > > > > >
> > > > > > > > This would give you 120 task list files that you can examine for
> > > > > > > > the command line mailer used. Once you know its name, you
> > > > > > > > can start tracking it down.
> > > > > > > >
> > > > > > > >
> > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > > > message
> > > > > > > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > > > > > Dear Pegaus-
> > > > > > > > >
> > > > > > > > > Thanks for replying.  I wish that was it.  I had checked the
> > ..bat
> > > > > > files
> > > > > > > > > already, but forgot about the .cmd files.  So after your
> > > > suggestion I
> > > > > > > > looked
> > > > > > > > > through all the .bat and .cmd files.  None of them looked to
> > be
> > > > the
> > > > > > > > culprit.
> > > > > > > > > That was a good thought though.  Any other wisdom?
> > > > > > > > >
> > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
> > in
> > > > > > message
> > > > > > > > > > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM every
> > > > morning,
> > > > > > > > some
> > > > > > > > > > > process is trying to send out mail both to me and others.
> > The
> > > > > > lsit of
> > > > > > > > > > others
> > > > > > > > > > > is always the same and I am thinking that some email came
> > in
> > > > with
> > > > > > soem
> > > > > > > > > > > infection attached.  I don't know any of the other
> > addressees.
> > > > I
> > > > > > say
> > > > > > > > > > > "trying" because I have actually blocked anything from
> > going
> > > > out
> > > > > > by
> > > > > > > > > > setting
> > > > > > > > > > > up some rules in my Trend Client Server Messaging Suite
> > SMB
> > > > and
> > > > > > that
> > > > > > > > rule
> > > > > > > > > > was
> > > > > > > > > > > set up to delete the three mails that occur at 3:27 AM,
> > which
> > > > it
> > > > > > now
> > > > > > > > does
> > > > > > > > > > > very nicely.  But I have been trying to eradicate the
> > source
> > > > of
> > > > > > the
> > > > > > > > > > problem.
> > > > > > > > > > > I did the standard things I know to do.  I ran a complete
> > > > virus
> > > > > > check
> > > > > > > > of
> > > > > > > > > > all
> > > > > > > > > > > of the client machines.  I ran a virus check of all of the
> > > > volumes
> > > > > > on
> > > > > > > > my
> > > > > > > > > > > server.  I turned off all of the clients so none of them
> > were
> > > > > > running
> > > > > > > > at
> > > > > > > > > > the
> > > > > > > > > > > witching hour.  I read logs.  I looked for strange
> > processes
> > > > > > running
> > > > > > > > on
> > > > > > > > > > the
> > > > > > > > > > > server.  I looked for unexpected scheduled events.  So far
> > I
> > > > have
> > > > > > > > found
> > > > > > > > > > > nothing that has lead me to be able to eradicate the
> > problem.
> > > > I
> > > > > > am
> > > > > > > > now
> > > > > > > > > > > fairly conviced (though not positive) that the rogue
> > process
> > > > is
> > > > > > > > actually
> > > > > > > > > > not
> > > > > > > > > > > on a workstation, but in fact on the server itself, which
> > > > makes me
> > > > > > > > kind of
> > > > > > > > > > > nervous.  I wonder if anyone out there (including someone
> > at
> > > > > > > > Microsoft)
> > > > > > > > > > has a
> > > > > > > > > > > suggestion as to the best way to lay a trap for this racal
> > and
> > > > > > figure
> > > > > > > > out
> > > > > > > > > > how
> > > > > > > > > > > to eradicate it.  Any good ideas out there?
> > > > > > > > > > >
> > > > > > > > > > > I really would appreciate any help I can get.
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >
> > > > > > > > > > > Rich
> > > > > > > > > >
> > > > > > > > > > Check all your .bat and .cmd files. Chances are that one of
> > them
> > > > > > > > > > uses a Command Line mailer.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >

"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:AEBFBE4C-F05B-49B5-A9D4-A1CDD6177977@microsoft.com...
> Dear Pegasus:
>
> OK.  I edited the origianl batch file and changed the delay value to 2.
> That slowed thing down as expected.  I then changed the value of the
nu,ber
> of samples, reducing it from 1200.  But I decided ona a value of 200
because
> for some reason last night the bogus emails tried to go out at 3:30 AM
> instead of 3:27 AM  The value of 200 samples was well over 5 minutes with
the
> delay set to 2, so I think this will be a happy compromise.  I then
created a
> new batch file to test for the differences.  Since your batch file
required a
> keystroke for every comparison, I changed it a little bit to look at all
the
> differences and then pause at the end.  It is now written (called
> deltacrap.bat or something like that) as follows:
>
> @echo off
> cd /d c:\crap
> for /L %%a in (2,1,200) do fc tasks1.log tasks%%a.log | find /i "No
> differences" > nul || (echo File tasks%%a.log is different!)
> pause
>
> It seems to work just fine.  However it has shown every new log file to be
> different.   So I was worried that the batch file was defective.  It
really
> isn't.  The plain fact is when I went to check, in fact every log file was
a
> little bit different.  Different tasks were running at all those different
> times.  So it is working, but not very useful.  But since I get a time
stamp
> for the deleted email attempts by the rogue process, I think I will first
> find out when Trend deleted the email attempts, go back a minute or so and
> manually look at the log files to see what processes were running for a
> minute or two.  Either that or I can edit the batch file as needed and
change
> the log file to which I should compare to and look differentially from
that
> log forward.   Otherwise the only other option would be to make a batch
file
> that spells out what the differences are between on log file and the next.
> This would be real work.
>
> Thanks again Pegasus.  I really appreciate what you are doing to help.  I
> will give you a dump tomorrow as to the results.  I have two Microsoft
Tech
> sessions to attend tomorrow in the AM and a TS2 or two in the afternoon.
So
> I wil be in Microsoft training all day tomorrow, but I will dump the
results
> tomorrow night.
>
> Regards,
>
> Rich
>
> "Rich Farkas" wrote:
>
> > Dear Pegasus:
> >
> > That is a great idea.  I will run and debug that batch file you provided
and
> > see if it yields anything for this trial run of 1200 files.  I also will
> > re-run the origianl test program you provided; modified for the longer
delay
> > and only 120 samples tonight too.  SO I have some work to do.  I will
get
> > back to you wth my findings.
> >
> > Thanks,
> >
> > Rich
> >
> > "Pegasus (MVP)" wrote:
> >
> > > You can check your log files like so:
> > >
> > > Line1 @echo off
> > > Line2 cd /d c:\crap
> > > Line3 for /L %%a in (2,1,1200) do fc tasks1.log tasks%%a.log  | find
/i "No
> > > differences" > nul || (echo File tasks%%a.log is different! & pause)
> > >
> > > This untested batch file will show the name of every log file that is
> > > different
> > > from tasks1.log.
> > >
> > >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> > > > Dear Pegasus-
> > > >
> > > > Unfortunately I got your reply only this morning.  I weas sleeping
when
> > > the
> > > > batch file ran at 3L26 AM.  So the procedure ran with the value of
1200
> > > last
> > > > night starting at 3:26 AM.  I will revise the batch file parameters
and
> > > run
> > > > it again tonight.  I did get the 1200 files stored this morning and
have
> > > not
> > > > had a chance yet to figure out how to analyze all of them.  They are
all 3
> > > KB
> > > > each.  For wahtever reason, my exchange server was stopped this
morning
> > > and
> > > > the logs indicated that it had stopped at 3:30 AM  I don't know why
this
> > > > happened either or wheter it was related to the huge job I gave tie
batch
> > > > file to do, but anyway I started the Exchage service up again and
emails
> > > are
> > > > working fine now.
> > > >
> > > > Regards,
> > > >
> > > > Rich
> > > >
> > > > "Pegasus (MVP)" wrote:
> > > >
> > > > > Sorry, I made a mistake. Change the command to
> > > > > ping localhost -n 2
> > > > > in order to introduce a delay of about one second,
> > > > > then reduce the loop number back to 120.
> > > > >
> > > > >
> > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
message
> > > > > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > > > > Dear Pegasus:
> > > > > >
> > > > > > Your intuition was right.  It is a good thing you suggested

> > > > > batch
> > > > > > file didn't work for a couple of reasons.  I shouldhave checked
it
> > > more
> > > > > > closely.  But now it seems to work fine.  Here is what I did to
make
> > > it
> > > > > work.
> > > > > >  First, the thing went way too fast.  120 samples was done way
too
> > > quickly
> > > > > so
> > > > > > I bumped the number up to 1200.  That is a lot to look through,
but I
> > > > > guess I
> > > > > > can figure out how to compare the files to see what is different
> > > between
> > > > > > them.  Not a heck of a lot will be happening between 3:26 and

> > > > > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > > > > >
> > > > > > It seems to work fine, so tonight I will see if the task
scheduler
> > > does
> > > > > its
> > > > > > thing and traps the nasty task.
> > > > > >
> > > > > > Again, I really appreicate your suggestiosn and help.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Rich
> > > > > >
> > > > > > "Pegasus (MVP)" wrote:
> > > > > >
> > > > > > > I trust you made sure that pulist.exe resides where my
> > > > > > > batch file expects it. I also recommend that you invoke
> > > > > > > that batch file manually at least once, for testing purposes.
> > > > > > >
> > > > > > >
> > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > > message
> > > > > > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > > > > Dear Pegasus:
> > > > > > > >
> > > > > > > > OK.  I created a batch file with your source code in it and
am
> > > kicking
> > > > > it
> > > > > > > > off with the task shceduler.  I'll let you know what it
tells me.
> > > > > > > >
> > > > > > > > Thanks again.
> > > > > > > >
> > > > > > > > Rich
> > > > > > > >
> > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > >
> > > > > > > > > Since the mail is always sent at 3:27, I would create a
task
> > > that
> > > > > > > > > runs at 3:26 and takes a snapshot of all running
processes,
> > > > > > > > > perhaps something like this:
> > > > > > > > >
> > > > > > > > > @echo off
> > > > > > > > > for /L %%a in (1,1,120) do (c:\tools\pulist >

> > > ping
> > > > > > > > > localhost -n 1)
> > > > > > > > >
> > > > > > > > > This would give you 120 task list files that you can
examine for
> > > > > > > > > the command line mailer used. Once you know its name, you
> > > > > > > > > can start tracking it down.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
in
> > > > > message
> > > > > > > > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > > > > > > Dear Pegaus-
> > > > > > > > > >
> > > > > > > > > > Thanks for replying.  I wish that was it.  I had checked
the
> > > ..bat
> > > > > > > files
> > > > > > > > > > already, but forgot about the .cmd files.  So after your
> > > > > suggestion I
> > > > > > > > > looked
> > > > > > > > > > through all the .bat and .cmd files.  None of them
looked to
> > > be
> > > > > the
> > > > > > > > > culprit.
> > > > > > > > > > That was a good thought though.  Any other wisdom?
> > > > > > > > > >
> > > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com>
wrote
> > > in
> > > > > > > message
> > > > > > > > > > >
news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM
every
> > > > > morning,
> > > > > > > > > some
> > > > > > > > > > > > process is trying to send out mail both to me and
others.
> > > The
> > > > > > > lsit of
> > > > > > > > > > > others
> > > > > > > > > > > > is always the same and I am thinking that some email
came
> > > in
> > > > > with
> > > > > > > soem
> > > > > > > > > > > > infection attached.  I don't know any of the other
> > > addressees.
> > > > > I
> > > > > > > say
> > > > > > > > > > > > "trying" because I have actually blocked anything
from
> > > going
> > > > > out
> > > > > > > by
> > > > > > > > > > > setting
> > > > > > > > > > > > up some rules in my Trend Client Server Messaging
Suite
> > > SMB
> > > > > and
> > > > > > > that
> > > > > > > > > rule
> > > > > > > > > > > was
> > > > > > > > > > > > set up to delete the three mails that occur at 3:27
AM,
> > > which
> > > > > it
> > > > > > > now
> > > > > > > > > does
> > > > > > > > > > > > very nicely.  But I have been trying to eradicate
the
> > > source
> > > > > of
> > > > > > > the
> > > > > > > > > > > problem.
> > > > > > > > > > > > I did the standard things I know to do.  I ran a
complete
> > > > > virus
> > > > > > > check
> > > > > > > > > of
> > > > > > > > > > > all
> > > > > > > > > > > > of the client machines.  I ran a virus check of all
of the
> > > > > volumes
> > > > > > > on
> > > > > > > > > my
> > > > > > > > > > > > server.  I turned off all of the clients so none of
them
> > > were
> > > > > > > running
> > > > > > > > > at
> > > > > > > > > > > the
> > > > > > > > > > > > witching hour.  I read logs.  I looked for strange
> > > processes
> > > > > > > running
> > > > > > > > > on
> > > > > > > > > > > the
> > > > > > > > > > > > server.  I looked for unexpected scheduled events.
So far
> > > I
> > > > > have
> > > > > > > > > found
> > > > > > > > > > > > nothing that has lead me to be able to eradicate the
> > > problem.
> > > > > I
> > > > > > > am
> > > > > > > > > now
> > > > > > > > > > > > fairly conviced (though not positive) that the rogue
> > > process
> > > > > is
> > > > > > > > > actually
> > > > > > > > > > > not
> > > > > > > > > > > > on a workstation, but in fact on the server itself,
which
> > > > > makes me
> > > > > > > > > kind of
> > > > > > > > > > > > nervous.  I wonder if anyone out there (including
someone
> > > at
> > > > > > > > > Microsoft)
> > > > > > > > > > > has a
> > > > > > > > > > > > suggestion as to the best way to lay a trap for this
racal
> > > and
> > > > > > > figure
> > > > > > > > > out
> > > > > > > > > > > how
> > > > > > > > > > > > to eradicate it.  Any good ideas out there?
> > > > > > > > > > > >
> > > > > > > > > > > > I really would appreciate any help I can get.
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks,
> > > > > > > > > > > >
> > > > > > > > > > > > Rich
> > > > > > > > > > >
> > > > > > > > > > > Check all your .bat and .cmd files. Chances are that
one of
> > > them
> > > > > > > > > > > uses a Command Line mailer.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >

"Pegasus (MVP)" wrote:

> Output from pulist.exe might differ from one moment to the next
> for two reasons:
> - Some processes might be duplicated
> - Processes might get different process numbers
> - Processes might be listed in a different order.
>
> You can avoid these problems by using this batch file instead:
>
> Line1 @echo off
> Line2 cd /d c:\PCCrap
> Line3 for /L %%a in (1,1,200) do call :Sub %%a
> Line4 goto :eof
> Line5
> Line6 :Sub
> Line7 if exist temp.txt del temp.txt
> Line8 for /F %%a in ('"c:\program files\resource kit\pulist" ^| sort') do
> echo %%a >> temp.txt
> Line9 type temp.txt | uniq.exe > Tasks%1.log
> Line10 ping localhost -n 2 > nul
>
> Note the sequence of quotes in Line 8:  ( ' ", then  ' ).
> I attach a copy of uniq.ex for your convenience.
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:AEBFBE4C-F05B-49B5-A9D4-A1CDD6177977@microsoft.com...
> > Dear Pegasus:
> >
> > OK.  I edited the origianl batch file and changed the delay value to 2.
> > That slowed thing down as expected.  I then changed the value of the
> nu,ber
> > of samples, reducing it from 1200.  But I decided ona a value of 200
> because
> > for some reason last night the bogus emails tried to go out at 3:30 AM
> > instead of 3:27 AM  The value of 200 samples was well over 5 minutes with
> the
> > delay set to 2, so I think this will be a happy compromise.  I then
> created a
> > new batch file to test for the differences.  Since your batch file
> required a
> > keystroke for every comparison, I changed it a little bit to look at all
> the
> > differences and then pause at the end.  It is now written (called
> > deltacrap.bat or something like that) as follows:
> >
> > @echo off
> > cd /d c:\crap
> > for /L %%a in (2,1,200) do fc tasks1.log tasks%%a.log | find /i "No
> > differences" > nul || (echo File tasks%%a.log is different!)
> > pause
> >
> > It seems to work just fine.  However it has shown every new log file to be
> > different.   So I was worried that the batch file was defective.  It
> really
> > isn't.  The plain fact is when I went to check, in fact every log file was
> a
> > little bit different.  Different tasks were running at all those different
> > times.  So it is working, but not very useful.  But since I get a time
> stamp
> > for the deleted email attempts by the rogue process, I think I will first
> > find out when Trend deleted the email attempts, go back a minute or so and
> > manually look at the log files to see what processes were running for a
> > minute or two.  Either that or I can edit the batch file as needed and
> change
> > the log file to which I should compare to and look differentially from
> that
> > log forward.   Otherwise the only other option would be to make a batch
> file
> > that spells out what the differences are between on log file and the next.
> > This would be real work.
> >
> > Thanks again Pegasus.  I really appreciate what you are doing to help.  I
> > will give you a dump tomorrow as to the results.  I have two Microsoft
> Tech
> > sessions to attend tomorrow in the AM and a TS2 or two in the afternoon.
> So
> > I wil be in Microsoft training all day tomorrow, but I will dump the
> results
> > tomorrow night.
> >
> > Regards,
> >
> > Rich
> >
> > "Rich Farkas" wrote:
> >
> > > Dear Pegasus:
> > >
> > > That is a great idea.  I will run and debug that batch file you provided
> and
> > > see if it yields anything for this trial run of 1200 files.  I also will
> > > re-run the origianl test program you provided; modified for the longer
> delay
> > > and only 120 samples tonight too.  SO I have some work to do.  I will
> get
> > > back to you wth my findings.
> > >
> > > Thanks,
> > >
> > > Rich
> > >
> > > "Pegasus (MVP)" wrote:
> > >
> > > > You can check your log files like so:
> > > >
> > > > Line1 @echo off
> > > > Line2 cd /d c:\crap
> > > > Line3 for /L %%a in (2,1,1200) do fc tasks1.log tasks%%a.log  | find
> /i "No
> > > > differences" > nul || (echo File tasks%%a.log is different! & pause)
> > > >
> > > > This untested batch file will show the name of every log file that is
> > > > different
> > > > from tasks1.log.
> > > >
> > > >
> > > >
> > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > > news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> > > > > Dear Pegasus-
> > > > >
> > > > > Unfortunately I got your reply only this morning.  I weas sleeping
> when
> > > > the
> > > > > batch file ran at 3L26 AM.  So the procedure ran with the value of
> 1200
> > > > last
> > > > > night starting at 3:26 AM.  I will revise the batch file parameters
> and
> > > > run
> > > > > it again tonight.  I did get the 1200 files stored this morning and
> have
> > > > not
> > > > > had a chance yet to figure out how to analyze all of them.  They are
> all 3
> > > > KB
> > > > > each.  For wahtever reason, my exchange server was stopped this
> morning
> > > > and
> > > > > the logs indicated that it had stopped at 3:30 AM  I don't know why
> this
> > > > > happened either or wheter it was related to the huge job I gave tie
> batch
> > > > > file to do, but anyway I started the Exchage service up again and
> emails
> > > > are
> > > > > working fine now.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Rich
> > > > >
> > > > > "Pegasus (MVP)" wrote:
> > > > >
> > > > > > Sorry, I made a mistake. Change the command to
> > > > > > ping localhost -n 2
> > > > > > in order to introduce a delay of about one second,
> > > > > > then reduce the loop number back to 120.
> > > > > >
> > > > > >
> > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> message
> > > > > > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > > > > > Dear Pegasus:
> > > > > > >
> > > > > > > Your intuition was right.  It is a good thing you suggested
> that.  The
> > > > > > batch
> > > > > > > file didn't work for a couple of reasons.  I shouldhave checked
> it
> > > > more
> > > > > > > closely.  But now it seems to work fine.  Here is what I did to
> make
> > > > it
> > > > > > work.
> > > > > > >  First, the thing went way too fast.  120 samples was done way
> too
> > > > quickly
> > > > > > so
> > > > > > > I bumped the number up to 1200.  That is a lot to look through,
> but I
> > > > > > guess I
> > > > > > > can figure out how to compare the files to see what is different
> > > > between
> > > > > > > them.  Not a heck of a lot will be happening between 3:26 and
> 3:27 AM.
> > > > > > The
> > > > > > > second thing I had to adjust was the syntax.  There was a couple
> of
> > > > quotes
> > > > > > > missing in the commands. so I fixed that.  The defaut location
> of the
> > > > > > pulist
> > > > > > > was changed to where Windows puts it.  So the new batch file
> looks
> > > > > > something
> > > > > > > like this:
> > > > > > >
> > > > > > > @echo off
> > > > > > > for /L %%a in (1,1,1200) do ("c:\program files\resource
> kit\pulist" >
> > > > > > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > > > > > >
> > > > > > > It seems to work fine, so tonight I will see if the task
> scheduler
> > > > does
> > > > > > its
> > > > > > > thing and traps the nasty task.
> > > > > > >
> > > > > > > Again, I really appreicate your suggestiosn and help.
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Rich
> > > > > > >
> > > > > > > "Pegasus (MVP)" wrote:
> > > > > > >
> > > > > > > > I trust you made sure that pulist.exe resides where my
> > > > > > > > batch file expects it. I also recommend that you invoke
> > > > > > > > that batch file manually at least once, for testing purposes.
> > > > > > > >
> > > > > > > >
> > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > > > message
> > > > > > > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > > > > > Dear Pegasus:
> > > > > > > > >
> > > > > > > > > OK.  I created a batch file with your source code in it and
> am
> > > > kicking
> > > > > > it
> > > > > > > > > off with the task shceduler.  I'll let you know what it
> tells me.
> > > > > > > > >
> > > > > > > > > Thanks again.
> > > > > > > > >
> > > > > > > > > Rich
> > > > > > > > >
> > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > >
> > > > > > > > > > Since the mail is always sent at 3:27, I would create a
> task
> > > > that
> > > > > > > > > > runs at 3:26 and takes a snapshot of all running
> processes,
> > > > > > > > > > perhaps something like this:
> > > > > > > > > >
> > > > > > > > > > @echo off
> > > > > > > > > > for /L %%a in (1,1,120) do (c:\tools\pulist >
> c:\tasks%%a.log &
> > > > ping
> > > > > > > > > > localhost -n 1)
> > > > > > > > > >
> > > > > > > > > > This would give you 120 task list files that you can
> examine for
> > > > > > > > > > the command line mailer used. Once you know its name, you
> > > > > > > > > > can start tracking it down.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
> in
> > > > > > message
> > > > > > > > > > news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > > > > > > > Dear Pegaus-
> > > > > > > > > > >
> > > > > > > > > > > Thanks for replying.  I wish that was it.  I had checked
> the
> > > > ..bat
> > > > > > > > files
> > > > > > > > > > > already, but forgot about the .cmd files.  So after your
> > > > > > suggestion I
> > > > > > > > > > looked
> > > > > > > > > > > through all the .bat and .cmd files.  None of them
> looked to
> > > > be
> > > > > > the
> > > > > > > > > > culprit.
> > > > > > > > > > > That was a good thought though.  Any other wisdom?
> > > > > > > > > > >
> > > > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com>
> wrote
> > > > in
> > > > > > > > message
> > > > > > > > > > > >
> news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > > > > > > > I am running a SBS 2003 server.  At exactly 3:27 AM
> every
> > > > > > morning,
> > > > > > > > > > some
> > > > > > > > > > > > > process is trying to send out mail both to me and
> others.
> > > > The
> > > > > > > > lsit of
> > > > > > > > > > > > others
> > > > > > > > > > > > > is always the same and I am thinking that some email
> came
> > > > in

"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:B552070A-B249-4789-A957-343B0CDC7092@microsoft.com...
> Dear Pegasus:
>
> Had you intended to provide a file named uniq.exe?  I do not see any way
to
> get it from your last correspondence.
>
> Thanks,
>
> Rich
>
> "Pegasus (MVP)" wrote:
>
> > Output from pulist.exe might differ from one moment to the next
> > for two reasons:
> > - Some processes might be duplicated
> > - Processes might get different process numbers
> > - Processes might be listed in a different order.
> >
> > You can avoid these problems by using this batch file instead:
> >
> > Line1 @echo off
> > Line2 cd /d c:\PCCrap
> > Line3 for /L %%a in (1,1,200) do call :Sub %%a
> > Line4 goto :eof
> > Line5
> > Line6 :Sub
> > Line7 if exist temp.txt del temp.txt
> > Line8 for /F %%a in ('"c:\program files\resource kit\pulist" ^| sort')
do
> > echo %%a >> temp.txt
> > Line9 type temp.txt | uniq.exe > Tasks%1.log
> > Line10 ping localhost -n 2 > nul
> >
> > Note the sequence of quotes in Line 8:  ( ' ", then  ' ).
> > I attach a copy of uniq.ex for your convenience.
> >
> >
> > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > news:AEBFBE4C-F05B-49B5-A9D4-A1CDD6177977@microsoft.com...
> > > Dear Pegasus:
> > >
> > > OK.  I edited the origianl batch file and changed the delay value to
2.
> > > That slowed thing down as expected.  I then changed the value of the
> > nu,ber
> > > of samples, reducing it from 1200.  But I decided ona a value of 200
> > because
> > > for some reason last night the bogus emails tried to go out at 3:30 AM
> > > instead of 3:27 AM  The value of 200 samples was well over 5 minutes
with
> > the
> > > delay set to 2, so I think this will be a happy compromise.  I then
> > created a
> > > new batch file to test for the differences.  Since your batch file
> > required a
> > > keystroke for every comparison, I changed it a little bit to look at
all
> > the
> > > differences and then pause at the end.  It is now written (called
> > > deltacrap.bat or something like that) as follows:
> > >
> > > @echo off
> > > cd /d c:\crap
> > > for /L %%a in (2,1,200) do fc tasks1.log tasks%%a.log | find /i "No
> > > differences" > nul || (echo File tasks%%a.log is different!)
> > > pause
> > >
> > > It seems to work just fine.  However it has shown every new log file
to be
> > > different.   So I was worried that the batch file was defective.  It
> > really
> > > isn't.  The plain fact is when I went to check, in fact every log file
was
> > a
> > > little bit different.  Different tasks were running at all those
different
> > > times.  So it is working, but not very useful.  But since I get a time
> > stamp
> > > for the deleted email attempts by the rogue process, I think I will
first
> > > find out when Trend deleted the email attempts, go back a minute or so
and
> > > manually look at the log files to see what processes were running for
a
> > > minute or two.  Either that or I can edit the batch file as needed and
> > change
> > > the log file to which I should compare to and look differentially from
> > that
> > > log forward.   Otherwise the only other option would be to make a
batch
> > file
> > > that spells out what the differences are between on log file and the
next.
> > > This would be real work.
> > >
> > > Thanks again Pegasus.  I really appreciate what you are doing to help.
I
> > > will give you a dump tomorrow as to the results.  I have two Microsoft
> > Tech
> > > sessions to attend tomorrow in the AM and a TS2 or two in the
afternoon.
> > So
> > > I wil be in Microsoft training all day tomorrow, but I will dump the
> > results
> > > tomorrow night.
> > >
> > > Regards,
> > >
> > > Rich
> > >
> > > "Rich Farkas" wrote:
> > >
> > > > Dear Pegasus:
> > > >
> > > > That is a great idea.  I will run and debug that batch file you
provided
> > and
> > > > see if it yields anything for this trial run of 1200 files.  I also
will
> > > > re-run the origianl test program you provided; modified for the
longer
> > delay
> > > > and only 120 samples tonight too.  SO I have some work to do.  I
will
> > get
> > > > back to you wth my findings.
> > > >
> > > > Thanks,
> > > >
> > > > Rich
> > > >
> > > > "Pegasus (MVP)" wrote:
> > > >
> > > > > You can check your log files like so:
> > > > >
> > > > > Line1 @echo off
> > > > > Line2 cd /d c:\crap
> > > > > Line3 for /L %%a in (2,1,1200) do fc tasks1.log tasks%%a.log  |
find
> > /i "No
> > > > > differences" > nul || (echo File tasks%%a.log is different! &
pause)
> > > > >
> > > > > This untested batch file will show the name of every log file that
is
> > > > > different
> > > > > from tasks1.log.
> > > > >
> > > > >
> > > > >
> > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
message
> > > > > news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> > > > > > Dear Pegasus-
> > > > > >
> > > > > > Unfortunately I got your reply only this morning.  I weas
sleeping
> > when
> > > > > the
> > > > > > batch file ran at 3L26 AM.  So the procedure ran with the value
of
> > 1200
> > > > > last
> > > > > > night starting at 3:26 AM.  I will revise the batch file
parameters
> > and
> > > > > run
> > > > > > it again tonight.  I did get the 1200 files stored this morning
and
> > have
> > > > > not
> > > > > > had a chance yet to figure out how to analyze all of them.  They
are
> > all 3
> > > > > KB
> > > > > > each.  For wahtever reason, my exchange server was stopped this
> > morning
> > > > > and
> > > > > > the logs indicated that it had stopped at 3:30 AM  I don't know
why
> > this
> > > > > > happened either or wheter it was related to the huge job I gave
tie
> > batch
> > > > > > file to do, but anyway I started the Exchage service up again
and
> > emails
> > > > > are
> > > > > > working fine now.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Rich
> > > > > >
> > > > > > "Pegasus (MVP)" wrote:
> > > > > >
> > > > > > > Sorry, I made a mistake. Change the command to
> > > > > > > ping localhost -n 2
> > > > > > > in order to introduce a delay of about one second,
> > > > > > > then reduce the loop number back to 120.
> > > > > > >
> > > > > > >
> > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > message
> > > > > > > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > > > > > > Dear Pegasus:
> > > > > > > >
> > > > > > > > Your intuition was right.  It is a good thing you suggested
> > that.  The
> > > > > > > batch
> > > > > > > > file didn't work for a couple of reasons.  I shouldhave
checked
> > it
> > > > > more
> > > > > > > > closely.  But now it seems to work fine.  Here is what I did
to
> > make
> > > > > it
> > > > > > > work.
> > > > > > > >  First, the thing went way too fast.  120 samples was done
way
> > too
> > > > > quickly
> > > > > > > so
> > > > > > > > I bumped the number up to 1200.  That is a lot to look
through,
> > but I
> > > > > > > guess I
> > > > > > > > can figure out how to compare the files to see what is
different
> > > > > between
> > > > > > > > them.  Not a heck of a lot will be happening between 3:26
and
> > 3:27 AM.
> > > > > > > The
> > > > > > > > second thing I had to adjust was the syntax.  There was a
couple
> > of
> > > > > quotes
> > > > > > > > missing in the commands. so I fixed that.  The defaut
location
> > of the
> > > > > > > pulist
> > > > > > > > was changed to where Windows puts it.  So the new batch file
> > looks
> > > > > > > something
> > > > > > > > like this:
> > > > > > > >
> > > > > > > > @echo off
> > > > > > > > for /L %%a in (1,1,1200) do ("c:\program files\resource
> > kit\pulist" >
> > > > > > > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > > > > > > >
> > > > > > > > It seems to work fine, so tonight I will see if the task
> > scheduler
> > > > > does
> > > > > > > its
> > > > > > > > thing and traps the nasty task.
> > > > > > > >
> > > > > > > > Again, I really appreicate your suggestiosn and help.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > Rich
> > > > > > > >
> > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > >
> > > > > > > > > I trust you made sure that pulist.exe resides where my
> > > > > > > > > batch file expects it. I also recommend that you invoke
> > > > > > > > > that batch file manually at least once, for testing
purposes.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
in
> > > > > message
> > > > > > > > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > > > > > > Dear Pegasus:
> > > > > > > > > >
> > > > > > > > > > OK.  I created a batch file with your source code in it
and
> > am
> > > > > kicking
> > > > > > > it
> > > > > > > > > > off with the task shceduler.  I'll let you know what it
> > tells me.
> > > > > > > > > >
> > > > > > > > > > Thanks again.
> > > > > > > > > >
> > > > > > > > > > Rich
> > > > > > > > > >
> > > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > > >
> > > > > > > > > > > Since the mail is always sent at 3:27, I would create
a
> > task
> > > > > that
> > > > > > > > > > > runs at 3:26 and takes a snapshot of all running
> > processes,
> > > > > > > > > > > perhaps something like this:
> > > > > > > > > > >
> > > > > > > > > > > @echo off
> > > > > > > > > > > for /L %%a in (1,1,120) do (c:\tools\pulist >
> > c:\tasks%%a.log &
> > > > > ping
> > > > > > > > > > > localhost -n 1)
> > > > > > > > > > >
> > > > > > > > > > > This would give you 120 task list files that you can
> > examine for
> > > > > > > > > > > the command line mailer used. Once you know its name,
you
> > > > > > > > > > > can start tracking it down.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com>
wrote
> > in
> > > > > > > message
> > > > > > > > > > >
news:ECAAEF15-6445-4E6D-A44A-DD7E69550634@microsoft.com...
> > > > > > > > > > > > Dear Pegaus-
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks for replying.  I wish that was it.  I had
checked
> > the
> > > > > ..bat
> > > > > > > > > files
> > > > > > > > > > > > already, but forgot about the .cmd files.  So after
your
> > > > > > > suggestion I
> > > > > > > > > > > looked
> > > > > > > > > > > > through all the .bat and .cmd files.  None of them
> > looked to
> > > > > be
> > > > > > > the
> > > > > > > > > > > culprit.
> > > > > > > > > > > > That was a good thought though.  Any other wisdom?
> > > > > > > > > > > >
> > > > > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > "Rich Farkas"

> > wrote
> > > > > in
> > > > > > > > > message
> > > > > > > > > > > > >
> > news:39C66C1C-A57D-415E-9141-E2C656AA8B54@microsoft.com...
> > > > > > > > > > > > > > I am running a SBS 2003 server.  At exactly 3:27
AM
> > every
> > > > > > > morning,
> > > > > > > > > > > some
> > > > > > > > > > > > > > process is trying to send out mail both to me
and
> > others.
> > > > > The
> > > > > > > > > lsit of
> > > > > > > > > > > > > others
> > > > > > > > > > > > > > is always the same and I am thinking that some
email
> > came
> > > > > in

"Pegasus (MVP)" wrote:

> I attached uniq.ex, which you must rename to uniq.exe.
> Check your newsreader security settings - they might have
> detached it automatically. You could also check the
> Internet for download sites (if it still exists).
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:B552070A-B249-4789-A957-343B0CDC7092@microsoft.com...
> > Dear Pegasus:
> >
> > Had you intended to provide a file named uniq.exe?  I do not see any way
> to
> > get it from your last correspondence.
> >
> > Thanks,
> >
> > Rich
> >
> > "Pegasus (MVP)" wrote:
> >
> > > Output from pulist.exe might differ from one moment to the next
> > > for two reasons:
> > > - Some processes might be duplicated
> > > - Processes might get different process numbers
> > > - Processes might be listed in a different order.
> > >
> > > You can avoid these problems by using this batch file instead:
> > >
> > > Line1 @echo off
> > > Line2 cd /d c:\PCCrap
> > > Line3 for /L %%a in (1,1,200) do call :Sub %%a
> > > Line4 goto :eof
> > > Line5
> > > Line6 :Sub
> > > Line7 if exist temp.txt del temp.txt
> > > Line8 for /F %%a in ('"c:\program files\resource kit\pulist" ^| sort')
> do
> > > echo %%a >> temp.txt
> > > Line9 type temp.txt | uniq.exe > Tasks%1.log
> > > Line10 ping localhost -n 2 > nul
> > >
> > > Note the sequence of quotes in Line 8:  ( ' ", then  ' ).
> > > I attach a copy of uniq.ex for your convenience.
> > >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:AEBFBE4C-F05B-49B5-A9D4-A1CDD6177977@microsoft.com...
> > > > Dear Pegasus:
> > > >
> > > > OK.  I edited the origianl batch file and changed the delay value to
> 2.
> > > > That slowed thing down as expected.  I then changed the value of the
> > > nu,ber
> > > > of samples, reducing it from 1200.  But I decided ona a value of 200
> > > because
> > > > for some reason last night the bogus emails tried to go out at 3:30 AM
> > > > instead of 3:27 AM  The value of 200 samples was well over 5 minutes
> with
> > > the
> > > > delay set to 2, so I think this will be a happy compromise.  I then
> > > created a
> > > > new batch file to test for the differences.  Since your batch file
> > > required a
> > > > keystroke for every comparison, I changed it a little bit to look at
> all
> > > the
> > > > differences and then pause at the end.  It is now written (called
> > > > deltacrap.bat or something like that) as follows:
> > > >
> > > > @echo off
> > > > cd /d c:\crap
> > > > for /L %%a in (2,1,200) do fc tasks1.log tasks%%a.log | find /i "No
> > > > differences" > nul || (echo File tasks%%a.log is different!)
> > > > pause
> > > >
> > > > It seems to work just fine.  However it has shown every new log file
> to be
> > > > different.   So I was worried that the batch file was defective.  It
> > > really
> > > > isn't.  The plain fact is when I went to check, in fact every log file
> was
> > > a
> > > > little bit different.  Different tasks were running at all those
> different
> > > > times.  So it is working, but not very useful.  But since I get a time
> > > stamp
> > > > for the deleted email attempts by the rogue process, I think I will
> first
> > > > find out when Trend deleted the email attempts, go back a minute or so
> and
> > > > manually look at the log files to see what processes were running for
> a
> > > > minute or two.  Either that or I can edit the batch file as needed and
> > > change
> > > > the log file to which I should compare to and look differentially from
> > > that
> > > > log forward.   Otherwise the only other option would be to make a
> batch
> > > file
> > > > that spells out what the differences are between on log file and the
> next.
> > > > This would be real work.
> > > >
> > > > Thanks again Pegasus.  I really appreciate what you are doing to help.
> I
> > > > will give you a dump tomorrow as to the results.  I have two Microsoft
> > > Tech
> > > > sessions to attend tomorrow in the AM and a TS2 or two in the
> afternoon.
> > > So
> > > > I wil be in Microsoft training all day tomorrow, but I will dump the
> > > results
> > > > tomorrow night.
> > > >
> > > > Regards,
> > > >
> > > > Rich
> > > >
> > > > "Rich Farkas" wrote:
> > > >
> > > > > Dear Pegasus:
> > > > >
> > > > > That is a great idea.  I will run and debug that batch file you
> provided
> > > and
> > > > > see if it yields anything for this trial run of 1200 files.  I also
> will
> > > > > re-run the origianl test program you provided; modified for the
> longer
> > > delay
> > > > > and only 120 samples tonight too.  SO I have some work to do.  I
> will
> > > get
> > > > > back to you wth my findings.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Rich
> > > > >
> > > > > "Pegasus (MVP)" wrote:
> > > > >
> > > > > > You can check your log files like so:
> > > > > >
> > > > > > Line1 @echo off
> > > > > > Line2 cd /d c:\crap
> > > > > > Line3 for /L %%a in (2,1,1200) do fc tasks1.log tasks%%a.log  |
> find
> > > /i "No
> > > > > > differences" > nul || (echo File tasks%%a.log is different! &
> pause)
> > > > > >
> > > > > > This untested batch file will show the name of every log file that
> is
> > > > > > different
> > > > > > from tasks1.log.
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> message
> > > > > > news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> > > > > > > Dear Pegasus-
> > > > > > >
> > > > > > > Unfortunately I got your reply only this morning.  I weas
> sleeping
> > > when
> > > > > > the
> > > > > > > batch file ran at 3L26 AM.  So the procedure ran with the value
> of
> > > 1200
> > > > > > last
> > > > > > > night starting at 3:26 AM.  I will revise the batch file
> parameters
> > > and
> > > > > > run
> > > > > > > it again tonight.  I did get the 1200 files stored this morning
> and
> > > have
> > > > > > not
> > > > > > > had a chance yet to figure out how to analyze all of them.  They
> are
> > > all 3
> > > > > > KB
> > > > > > > each.  For wahtever reason, my exchange server was stopped this
> > > morning
> > > > > > and
> > > > > > > the logs indicated that it had stopped at 3:30 AM  I don't know
> why
> > > this
> > > > > > > happened either or wheter it was related to the huge job I gave
> tie
> > > batch
> > > > > > > file to do, but anyway I started the Exchage service up again
> and
> > > emails
> > > > > > are
> > > > > > > working fine now.
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Rich
> > > > > > >
> > > > > > > "Pegasus (MVP)" wrote:
> > > > > > >
> > > > > > > > Sorry, I made a mistake. Change the command to
> > > > > > > > ping localhost -n 2
> > > > > > > > in order to introduce a delay of about one second,
> > > > > > > > then reduce the loop number back to 120.
> > > > > > > >
> > > > > > > >
> > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > > message
> > > > > > > > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > > > > > > > Dear Pegasus:
> > > > > > > > >
> > > > > > > > > Your intuition was right.  It is a good thing you suggested
> > > that.  The
> > > > > > > > batch
> > > > > > > > > file didn't work for a couple of reasons.  I shouldhave
> checked
> > > it
> > > > > > more
> > > > > > > > > closely.  But now it seems to work fine.  Here is what I did
> to
> > > make
> > > > > > it
> > > > > > > > work.
> > > > > > > > >  First, the thing went way too fast.  120 samples was done
> way
> > > too
> > > > > > quickly
> > > > > > > > so
> > > > > > > > > I bumped the number up to 1200.  That is a lot to look
> through,
> > > but I
> > > > > > > > guess I
> > > > > > > > > can figure out how to compare the files to see what is
> different
> > > > > > between
> > > > > > > > > them.  Not a heck of a lot will be happening between 3:26
> and
> > > 3:27 AM.
> > > > > > > > The
> > > > > > > > > second thing I had to adjust was the syntax.  There was a
> couple
> > > of
> > > > > > quotes
> > > > > > > > > missing in the commands. so I fixed that.  The defaut
> location
> > > of the
> > > > > > > > pulist
> > > > > > > > > was changed to where Windows puts it.  So the new batch file
> > > looks
> > > > > > > > something
> > > > > > > > > like this:
> > > > > > > > >
> > > > > > > > > @echo off
> > > > > > > > > for /L %%a in (1,1,1200) do ("c:\program files\resource
> > > kit\pulist" >
> > > > > > > > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > > > > > > > >
> > > > > > > > > It seems to work fine, so tonight I will see if the task
> > > scheduler
> > > > > > does
> > > > > > > > its
> > > > > > > > > thing and traps the nasty task.
> > > > > > > > >
> > > > > > > > > Again, I really appreicate your suggestiosn and help.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Rich
> > > > > > > > >
> > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > >
> > > > > > > > > > I trust you made sure that pulist.exe resides where my
> > > > > > > > > > batch file expects it. I also recommend that you invoke
> > > > > > > > > > that batch file manually at least once, for testing
> purposes.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
> in
> > > > > > message
> > > > > > > > > > news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > > > > > > > Dear Pegasus:
> > > > > > > > > > >
> > > > > > > > > > > OK.  I created a batch file with your source code in it
> and
> > > am
> > > > > > kicking
> > > > > > > > it
> > > > > > > > > > > off with the task shceduler.  I'll let you know what it
> > > tells me.
> > > > > > > > > > >
> > > > > > > > > > > Thanks again.
> > > > > > > > > > >
> > > > > > > > > > > Rich
> > > > > > > > > > >
> > > > > > > > > > > "Pegasus (MVP)" wrote:

"Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
news:2D720F40-D5B4-4462-919C-7B4589D3034A@microsoft.com...
> Dear Pegasus:
>
> First, I first manually inspected and compared all 200 files (what a
pain),
> looking to see if anything jumped out during the time the files were being
> generated.  Other than the pullist file having a different value, they all
> appeared to be the same processes running.  I never saw one that shopwed
up
> and then went away.  So then I ran your new batch file with uniq.exe and
> found that when  I ran it it sorted the list of log files and within the
log
> files, it put the tasks in alphabetical order and generated a new tmp.text
> file.  Here is the output of that temp.txt file.
>
> Cm_smex.exe
> cmd.exe
> cmd.exe
> csrss.exe
> csrss.exe
> DbServer.exe
> dfssvc.exe
> dns.exe
> exmgmt.exe
> explorer.exe
> fxssvc.exe
> Idle
> imbservice.exe
> inetinfo.exe
> InstMon.exe
> InstRTS.exe
> InstWeb.exe
> llssrv.exe
> logon.scr
> lsass.exe
> mad.exe
> msdtc.exe
> MSPADMIN.EXE
> mssearch.exe
> NSAgent.exe
> ntfrs.exe
> NTRtScan.exe
> ntvdm.exe
> OfcDog.exe
> OfcService.exe
> OWSTIMER.EXE
> pbeagent.exe
> PBESER~1.EXE
> PccNTMon.exe
> POP3Trap.exe
> Process
> pulist.exe
> rdpclip.exe
> RMonitor.exe
> RMonUI.exe
> sbscrexe.exe
> services.exe
> SmexHS.exe
> SMEXMA.exe
> SmexVS.exe
> smss.exe
> sort.exe
> spoolsv.exe
> sqlagent.EXE
> sqlmangr.exe
> sqlservr.exe
> sqlservr.exe
> sqlservr.exe
> store.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> svchost.exe
> System
> tcpsvcs.exe
> TmListen.exe
> W3PREFCH.EXE
> W3PROXY.EXE
> w3wp.exe
> w3wp.exe
> winlogon.exe
> winlogon.exe
> wins.exe
> wmiprvse.exe
> wmiprvse.exe
> WSPSRV.EXE
> WZQKPICK.EXE
>
> I am not sure what this batch file accomplishes.  Should it show some
> differential processes if there were any?  If you see any process in the
list
> that I should worry about, I would appreciate knowing about it.  The
one(s)
> that could be a problem based on my research seem to be csrss.exe, I am
not
> sure where they get kicked off though.
>
> But I have another thought.  You may recall that I reported that the
> exchange server went down here for whatever reason and when it did and I
> restarted it, I did see a shift in the time that these emails tried to go
> out.  Instead of being deleted by my Trend filter at 3:27, the emails
somehow
> got deleted at 3:30.  So I wonder if this is really a program that
executed
> separately from exchange running all by itself, or whetther some how
> something is actually sending out mail through exchange.  Restarting the
> exchange process seems to have changed the time tht the mails tried to go
> out.  I am thinking I can prove whether it is exhcnage itself or whether
it
> is some rogue process running all by itself.  I can turn off the exchange
> process at say 3:00 AM and turn it back on say at 4:00 AM or even later.
If
> the rogue mails still try to go out, then it will prove that it really is
a
> program causing the mails; something like its own SMTP generator.
> Alternatively, if the mails don't try when exchange is off, then it is
will
> prove that the vehicle for sending is actually exchange or soething
> controlling exchange.  This won't help me to solve the problem actually,
but
> it will tell me that I am on the wrong track looking for a roque process.
>
> Does this make any sense?  Do you see anything in the process file data I
> should know about?  I think in addtion to truning off exchange manually at
> say 3 AM, I should let the batch file generate the process data, even when
> the exchange server is off too.  So we can see what is running even when
> exchange is not.
>
> I hope this makes sense to you too.
>
> Regards,
>
> "Pegasus (MVP)" wrote:
>
> > I attached uniq.ex, which you must rename to uniq.exe.
> > Check your newsreader security settings - they might have
> > detached it automatically. You could also check the
> > Internet for download sites (if it still exists).
> >
> >
> > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > news:B552070A-B249-4789-A957-343B0CDC7092@microsoft.com...
> > > Dear Pegasus:
> > >
> > > Had you intended to provide a file named uniq.exe?  I do not see any
way
> > to
> > > get it from your last correspondence.
> > >
> > > Thanks,
> > >
> > > Rich
> > >
> > > "Pegasus (MVP)" wrote:
> > >
> > > > Output from pulist.exe might differ from one moment to the next
> > > > for two reasons:
> > > > - Some processes might be duplicated
> > > > - Processes might get different process numbers
> > > > - Processes might be listed in a different order.
> > > >
> > > > You can avoid these problems by using this batch file instead:
> > > >
> > > > Line1 @echo off
> > > > Line2 cd /d c:\PCCrap
> > > > Line3 for /L %%a in (1,1,200) do call :Sub %%a
> > > > Line4 goto :eof
> > > > Line5
> > > > Line6 :Sub
> > > > Line7 if exist temp.txt del temp.txt
> > > > Line8 for /F %%a in ('"c:\program files\resource kit\pulist" ^|
sort')
> > do
> > > > echo %%a >> temp.txt
> > > > Line9 type temp.txt | uniq.exe > Tasks%1.log
> > > > Line10 ping localhost -n 2 > nul
> > > >
> > > > Note the sequence of quotes in Line 8:  ( ' ", then  ' ).
> > > > I attach a copy of uniq.ex for your convenience.
> > > >
> > > >
> > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
message
> > > > news:AEBFBE4C-F05B-49B5-A9D4-A1CDD6177977@microsoft.com...
> > > > > Dear Pegasus:
> > > > >
> > > > > OK.  I edited the origianl batch file and changed the delay value
to
> > 2.
> > > > > That slowed thing down as expected.  I then changed the value of
the
> > > > nu,ber
> > > > > of samples, reducing it from 1200.  But I decided ona a value of
200
> > > > because
> > > > > for some reason last night the bogus emails tried to go out at

> > > > > instead of 3:27 AM  The value of 200 samples was well over 5
minutes
> > with
> > > > the
> > > > > delay set to 2, so I think this will be a happy compromise.  I
then
> > > > created a
> > > > > new batch file to test for the differences.  Since your batch file
> > > > required a
> > > > > keystroke for every comparison, I changed it a little bit to look
at
> > all
> > > > the
> > > > > differences and then pause at the end.  It is now written (called
> > > > > deltacrap.bat or something like that) as follows:
> > > > >
> > > > > @echo off
> > > > > cd /d c:\crap
> > > > > for /L %%a in (2,1,200) do fc tasks1.log tasks%%a.log | find /i
"No
> > > > > differences" > nul || (echo File tasks%%a.log is different!)
> > > > > pause
> > > > >
> > > > > It seems to work just fine.  However it has shown every new log
file
> > to be
> > > > > different.   So I was worried that the batch file was defective.
It
> > > > really
> > > > > isn't.  The plain fact is when I went to check, in fact every log
file
> > was
> > > > a
> > > > > little bit different.  Different tasks were running at all those
> > different
> > > > > times.  So it is working, but not very useful.  But since I get a
time
> > > > stamp
> > > > > for the deleted email attempts by the rogue process, I think I
will
> > first
> > > > > find out when Trend deleted the email attempts, go back a minute
or so
> > and
> > > > > manually look at the log files to see what processes were running
for
> > a
> > > > > minute or two.  Either that or I can edit the batch file as needed
and
> > > > change
> > > > > the log file to which I should compare to and look differentially
from
> > > > that
> > > > > log forward.   Otherwise the only other option would be to make a
> > batch
> > > > file
> > > > > that spells out what the differences are between on log file and
the
> > next.
> > > > > This would be real work.
> > > > >
> > > > > Thanks again Pegasus.  I really appreciate what you are doing to
help.
> > I
> > > > > will give you a dump tomorrow as to the results.  I have two
Microsoft
> > > > Tech
> > > > > sessions to attend tomorrow in the AM and a TS2 or two in the
> > afternoon.
> > > > So
> > > > > I wil be in Microsoft training all day tomorrow, but I will dump
the
> > > > results
> > > > > tomorrow night.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Rich
> > > > >
> > > > > "Rich Farkas" wrote:
> > > > >
> > > > > > Dear Pegasus:
> > > > > >
> > > > > > That is a great idea.  I will run and debug that batch file you
> > provided
> > > > and
> > > > > > see if it yields anything for this trial run of 1200 files.  I
also
> > will
> > > > > > re-run the origianl test program you provided; modified for the
> > longer
> > > > delay
> > > > > > and only 120 samples tonight too.  SO I have some work to do.  I
> > will
> > > > get
> > > > > > back to you wth my findings.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Rich
> > > > > >
> > > > > > "Pegasus (MVP)" wrote:
> > > > > >
> > > > > > > You can check your log files like so:
> > > > > > >
> > > > > > > Line1 @echo off
> > > > > > > Line2 cd /d c:\crap
> > > > > > > Line3 for /L %%a in (2,1,1200) do fc tasks1.log tasks%%a.log
|
> > find
> > > > /i "No
> > > > > > > differences" > nul || (echo File tasks%%a.log is different! &
> > pause)
> > > > > > >
> > > > > > > This untested batch file will show the name of every log file
that
> > is
> > > > > > > different
> > > > > > > from tasks1.log.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> > message
> > > > > > > news:8EF937FE-AE87-4130-BC82-F45428F9A409@microsoft.com...
> > > > > > > > Dear Pegasus-
> > > > > > > >
> > > > > > > > Unfortunately I got your reply only this morning.  I weas
> > sleeping
> > > > when
> > > > > > > the
> > > > > > > > batch file ran at 3L26 AM.  So the procedure ran with the
value
> > of
> > > > 1200
> > > > > > > last
> > > > > > > > night starting at 3:26 AM.  I will revise the batch file
> > parameters
> > > > and
> > > > > > > run
> > > > > > > > it again tonight.  I did get the 1200 files stored this
morning
> > and
> > > > have
> > > > > > > not
> > > > > > > > had a chance yet to figure out how to analyze all of them.
They
> > are
> > > > all 3
> > > > > > > KB
> > > > > > > > each.  For wahtever reason, my exchange server was stopped
this
> > > > morning
> > > > > > > and
> > > > > > > > the logs indicated that it had stopped at 3:30 AM  I don't
know
> > why
> > > > this
> > > > > > > > happened either or wheter it was related to the huge job I
gave
> > tie
> > > > batch
> > > > > > > > file to do, but anyway I started the Exchage service up
again
> > and
> > > > emails
> > > > > > > are
> > > > > > > > working fine now.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Rich
> > > > > > > >
> > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > >
> > > > > > > > > Sorry, I made a mistake. Change the command to
> > > > > > > > > ping localhost -n 2
> > > > > > > > > in order to introduce a delay of about one second,
> > > > > > > > > then reduce the loop number back to 120.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote
in
> > > > message
> > > > > > > > > news:9154CD91-D5D5-471D-9A1D-1FCB0A71F69F@microsoft.com...
> > > > > > > > > > Dear Pegasus:
> > > > > > > > > >
> > > > > > > > > > Your intuition was right.  It is a good thing you
suggested
> > > > that.  The
> > > > > > > > > batch
> > > > > > > > > > file didn't work for a couple of reasons.  I shouldhave
> > checked
> > > > it
> > > > > > > more
> > > > > > > > > > closely.  But now it seems to work fine.  Here is what I
did
> > to
> > > > make
> > > > > > > it
> > > > > > > > > work.
> > > > > > > > > >  First, the thing went way too fast.  120 samples was
done
> > way
> > > > too
> > > > > > > quickly
> > > > > > > > > so
> > > > > > > > > > I bumped the number up to 1200.  That is a lot to look
> > through,
> > > > but I
> > > > > > > > > guess I
> > > > > > > > > > can figure out how to compare the files to see what is
> > different
> > > > > > > between
> > > > > > > > > > them.  Not a heck of a lot will be happening between
3:26
> > and
> > > > 3:27 AM.
> > > > > > > > > The
> > > > > > > > > > second thing I had to adjust was the syntax.  There was
a
> > couple
> > > > of
> > > > > > > quotes
> > > > > > > > > > missing in the commands. so I fixed that.  The defaut
> > location
> > > > of the
> > > > > > > > > pulist
> > > > > > > > > > was changed to where Windows puts it.  So the new batch
file
> > > > looks
> > > > > > > > > something
> > > > > > > > > > like this:
> > > > > > > > > >
> > > > > > > > > > @echo off
> > > > > > > > > > for /L %%a in (1,1,1200) do ("c:\program files\resource
> > > > kit\pulist" >
> > > > > > > > > > c:\crap\tasks%%a.log & ping localhost -n 1)
> > > > > > > > > >
> > > > > > > > > > It seems to work fine, so tonight I will see if the task
> > > > scheduler
> > > > > > > does
> > > > > > > > > its
> > > > > > > > > > thing and traps the nasty task.
> > > > > > > > > >
> > > > > > > > > > Again, I really appreicate your suggestiosn and help.
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > >
> > > > > > > > > > Rich
> > > > > > > > > >
> > > > > > > > > > "Pegasus (MVP)" wrote:
> > > > > > > > > >
> > > > > > > > > > > I trust you made sure that pulist.exe resides where my
> > > > > > > > > > > batch file expects it. I also recommend that you
invoke
> > > > > > > > > > > that batch file manually at least once, for testing
> > purposes.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com>
wrote
> > in
> > > > > > > message
> > > > > > > > > > >
news:F2DDBE24-3D84-4E0F-9600-4647200A38A2@microsoft.com...
> > > > > > > > > > > > Dear Pegasus:
> > > > > > > > > > > >
> > > > > > > > > > > > OK.  I created a batch file with your source code in
it
> > and
> > > > am
> > > > > > > kicking
> > > > > > > > > it
> > > > > > > > > > > > off with the task shceduler.  I'll let you know what
it
> > > > tells me.
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks again.
> > > > > > > > > > > >
> > > > > > > > > > > > Rich
> > > > > > > > > > > >
> > > > > > > > > > > > "Pegasus (MVP)" wrote:

"Pegasus (MVP)" wrote:

> uniq.exe uses temp.txt to generate task1.log, task2.log etc. This
> is your real output file - it lists all current tasks, sorted
> alphabetically,
> with duplicates suppressed.
>
> Turning off your Exchange server is an excellent idea!
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:2D720F40-D5B4-4462-919C-7B4589D3034A@microsoft.com...
> > Dear Pegasus:
> >
> > First, I first manually inspected and compared all 200 files (what a
> pain),
> > looking to see if anything jumped out during the time the files were being
> > generated.  Other than the pullist file having a different value, they all
> > appeared to be the same processes running.  I never saw one that shopwed
> up
> > and then went away.  So then I ran your new batch file with uniq.exe and
> > found that when  I ran it it sorted the list of log files and within the
> log
> > files, it put the tasks in alphabetical order and generated a new tmp.text
> > file.  Here is the output of that temp.txt file.
> >
> > Cm_smex.exe
> > cmd.exe
> > cmd.exe
> > csrss.exe
> > csrss.exe
> > DbServer.exe
> > dfssvc.exe
> > dns.exe
> > exmgmt.exe
> > explorer.exe
> > fxssvc.exe
> > Idle
> > imbservice.exe
> > inetinfo.exe
> > InstMon.exe
> > InstRTS.exe
> > InstWeb.exe
> > llssrv.exe
> > logon.scr
> > lsass.exe
> > mad.exe
> > msdtc.exe
> > MSPADMIN.EXE
> > mssearch.exe
> > NSAgent.exe
> > ntfrs.exe
> > NTRtScan.exe
> > ntvdm.exe
> > OfcDog.exe
> > OfcService.exe
> > OWSTIMER.EXE
> > pbeagent.exe
> > PBESER~1.EXE
> > PccNTMon.exe
> > POP3Trap.exe
> > Process
> > pulist.exe
> > rdpclip.exe
> > RMonitor.exe
> > RMonUI.exe
> > sbscrexe.exe
> > services.exe
> > SmexHS.exe
> > SMEXMA.exe
> > SmexVS.exe
> > smss.exe
> > sort.exe
> > spoolsv.exe
> > sqlagent.EXE
> > sqlmangr.exe
> > sqlservr.exe
> > sqlservr.exe
> > sqlservr.exe
> > store.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > System
> > tcpsvcs.exe
> > TmListen.exe
> > W3PREFCH.EXE
> > W3PROXY.EXE
> > w3wp.exe
> > w3wp.exe
> > winlogon.exe
> > winlogon.exe
> > wins.exe
> > wmiprvse.exe
> > wmiprvse.exe
> > WSPSRV.EXE
> > WZQKPICK.EXE
> >
> > I am not sure what this batch file accomplishes.  Should it show some
> > differential processes if there were any?  If you see any process in the
> list
> > that I should worry about, I would appreciate knowing about it.  The
> one(s)
> > that could be a problem based on my research seem to be csrss.exe, I am
> not
> > sure where they get kicked off though.
> >
> > But I have another thought.  You may recall that I reported that the
> > exchange server went down here for whatever reason and when it did and I
> > restarted it, I did see a shift in the time that these emails tried to go
> > out.  Instead of being deleted by my Trend filter at 3:27, the emails
> somehow
> > got deleted at 3:30.  So I wonder if this is really a program that
> executed
> > separately from exchange running all by itself, or whetther some how
> > something is actually sending out mail through exchange.  Restarting the
> > exchange process seems to have changed the time tht the mails tried to go
> > out.  I am thinking I can prove whether it is exhcnage itself or whether
> it
> > is some rogue process running all by itself.  I can turn off the exchange
> > process at say 3:00 AM and turn it back on say at 4:00 AM or even later.
> If
> > the rogue mails still try to go out, then it will prove that it really is
> a
> > program causing the mails; something like its own SMTP generator.
> > Alternatively, if the mails don't try when exchange is off, then it is
> will
> > prove that the vehicle for sending is actually exchange or soething
> > controlling exchange.  This won't help me to solve the problem actually,
> but
> > it will tell me that I am on the wrong track looking for a roque process.
> >
> > Does this make any sense?  Do you see anything in the process file data I
> > should know about?  I think in addtion to truning off exchange manually at
> > say 3 AM, I should let the batch file generate the process data, even when
> > the exchange server is off too.  So we can see what is running even when
> > exchange is not.
> >
> > I hope this makes sense to you too.
> >
> > Regards,
> >
> > "Pegasus (MVP)" wrote:
> >
> > > I attached uniq.ex, which you must rename to uniq.exe.
> > > Check your newsreader security settings - they might have
> > > detached it automatically. You could also check the
> > > Internet for download sites (if it still exists).
> > >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:B552070A-B249-4789-A957-343B0CDC7092@microsoft.com...
> > > > Dear Pegasus:
> > > >
> > > > Had you intended to provide a file named uniq.exe?  I do not see any
> way
> > > to
> > > > get it from your last correspondence.
> > > >
> > > > Thanks,
> > > >
> > > > Rich
> > > >
> > > > "Pegasus (MVP)" wrote:
> > > >
> > > > > Output from pulist.exe might differ from one moment to the next
> > > > > for two reasons:
> > > > > - Some processes might be duplicated
> > > > > - Processes might get different process numbers
> > > > > - Processes might be listed in a different order.
> > > > >
> > > > > You can avoid these problems by using this batch file instead:
> > > > >
> > > > > Line1 @echo off
> > > > > Line2 cd /d c:\PCCrap
> > > > > Line3 for /L %%a in (1,1,200) do call :Sub %%a
> > > > > Line4 goto :eof
> > > > > Line5
> > > > > Line6 :Sub
> > > > > Line7 if exist temp.txt del temp.txt
> > > > > Line8 for /F %%a in ('"c:\program files\resource kit\pulist" ^|
> sort')
> > > do
> > > > > echo %%a >> temp.txt
> > > > > Line9 type temp.txt | uniq.exe > Tasks%1.log
> > > > > Line10 ping localhost -n 2 > nul
> > > > >
> > > > > Note the sequence of quotes in Line 8:  ( ' ", then  ' ).
> > > > > I attach a copy of uniq.ex for your convenience.
> > > > >
> > > > >
> > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> message
> > > > > news:AEBFBE4C-F05B-49B5-A9D4-A1CDD6177977@microsoft.com...
> > > > > > Dear Pegasus:
> > > > > >
> > > > > > OK.  I edited the origianl batch file and changed the delay value
> to
> > > 2.
> > > > > > That slowed thing down as expected.  I then changed the value of
> the
> > > > > nu,ber
> > > > > > of samples, reducing it from 1200.  But I decided ona a value of
> 200
> > > > > because
> > > > > > for some reason last night the bogus emails tried to go out at
> 3:30 AM
> > > > > > instead of 3:27 AM  The value of 200 samples was well over 5
> minutes
> > > with
> > > > > the
> > > > > > delay set to 2, so I think this will be a happy compromise.  I
> then
> > > > > created a
> > > > > > new batch file to test for the differences.  Since your batch file
> > > > > required a
> > > > > > keystroke for every comparison, I changed it a little bit to look
> at
> > > all
> > > > > the
> > > > > > differences and then pause at the end.  It is now written (called
> > > > > > deltacrap.bat or something like that) as follows:
> > > > > >
> > > > > > @echo off
> > > > > > cd /d c:\crap
> > > > > > for /L %%a in (2,1,200) do fc tasks1.log tasks%%a.log | find /i
> "No
> > > > > > differences" > nul || (echo File tasks%%a.log is different!)
> > > > > > pause
> > > > > >
> > > > > > It seems to work just fine.  However it has shown every new log
> file
> > > to be
> > > > > > different.   So I was worried that the batch file was defective.
> It
> > > > > really
> > > > > > isn't.  The plain fact is when I went to check, in fact every log
> file
> > > was
> > > > > a
> > > > > > little bit different.  Different tasks were running at all those
> > > different
> > > > > > times.  So it is working, but not very useful.  But since I get a
> time
> > > > > stamp
> > > > > > for the deleted email attempts by the rogue process, I think I
> will
> > > first
> > > > > > find out when Trend deleted the email attempts, go back a minute
> or so
> > > and
> > > > > > manually look at the log files to see what processes were running
> for
> > > a
> > > > > > minute or two.  Either that or I can edit the batch file as needed
> and
> > > > > change
> > > > > > the log file to which I should compare to and look differentially
> from
> > > > > that
> > > > > > log forward.   Otherwise the only other option would be to make a
> > > batch
> > > > > file
> > > > > > that spells out what the differences are between on log file and
> the
> > > next.
> > > > > > This would be real work.
> > > > > >
> > > > > > Thanks again Pegasus.  I really appreciate what you are doing to
> help.
> > > I
> > > > > > will give you a dump tomorrow as to the results.  I have two
> Microsoft
> > > > > Tech
> > > > > > sessions to attend tomorrow in the AM and a TS2 or two in the
> > > afternoon.
> > > > > So
> > > > > > I wil be in Microsoft training all day tomorrow, but I will dump
> the
> > > > > results
> > > > > > tomorrow night.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Rich
> > > > > >
> > > > > > "Rich Farkas" wrote:
> > > > > >
> > > > > > > Dear Pegasus:
> > > > > > >
> > > > > > > That is a great idea.  I will run and debug that batch file you
> > > provided
> > > > > and
> > > > > > > see if it yields anything for this trial run of 1200 files.  I
> also
> > > will

"Pegasus (MVP)" wrote:

> uniq.exe uses temp.txt to generate task1.log, task2.log etc. This
> is your real output file - it lists all current tasks, sorted
> alphabetically,
> with duplicates suppressed.
>
> Turning off your Exchange server is an excellent idea!
>
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:2D720F40-D5B4-4462-919C-7B4589D3034A@microsoft.com...
> > Dear Pegasus:
> >
> > First, I first manually inspected and compared all 200 files (what a
> pain),
> > looking to see if anything jumped out during the time the files were being
> > generated.  Other than the pullist file having a different value, they all
> > appeared to be the same processes running.  I never saw one that shopwed
> up
> > and then went away.  So then I ran your new batch file with uniq.exe and
> > found that when  I ran it it sorted the list of log files and within the
> log
> > files, it put the tasks in alphabetical order and generated a new tmp.text
> > file.  Here is the output of that temp.txt file.
> >
> > Cm_smex.exe
> > cmd.exe
> > cmd.exe
> > csrss.exe
> > csrss.exe
> > DbServer.exe
> > dfssvc.exe
> > dns.exe
> > exmgmt.exe
> > explorer.exe
> > fxssvc.exe
> > Idle
> > imbservice.exe
> > inetinfo.exe
> > InstMon.exe
> > InstRTS.exe
> > InstWeb.exe
> > llssrv.exe
> > logon.scr
> > lsass.exe
> > mad.exe
> > msdtc.exe
> > MSPADMIN.EXE
> > mssearch.exe
> > NSAgent.exe
> > ntfrs.exe
> > NTRtScan.exe
> > ntvdm.exe
> > OfcDog.exe
> > OfcService.exe
> > OWSTIMER.EXE
> > pbeagent.exe
> > PBESER~1.EXE
> > PccNTMon.exe
> > POP3Trap.exe
> > Process
> > pulist.exe
> > rdpclip.exe
> > RMonitor.exe
> > RMonUI.exe
> > sbscrexe.exe
> > services.exe
> > SmexHS.exe
> > SMEXMA.exe
> > SmexVS.exe
> > smss.exe
> > sort.exe
> > spoolsv.exe
> > sqlagent.EXE
> > sqlmangr.exe
> > sqlservr.exe
> > sqlservr.exe
> > sqlservr.exe
> > store.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > svchost.exe
> > System
> > tcpsvcs.exe
> > TmListen.exe
> > W3PREFCH.EXE
> > W3PROXY.EXE
> > w3wp.exe
> > w3wp.exe
> > winlogon.exe
> > winlogon.exe
> > wins.exe
> > wmiprvse.exe
> > wmiprvse.exe
> > WSPSRV.EXE
> > WZQKPICK.EXE
> >
> > I am not sure what this batch file accomplishes.  Should it show some
> > differential processes if there were any?  If you see any process in the
> list
> > that I should worry about, I would appreciate knowing about it.  The
> one(s)
> > that could be a problem based on my research seem to be csrss.exe, I am
> not
> > sure where they get kicked off though.
> >
> > But I have another thought.  You may recall that I reported that the
> > exchange server went down here for whatever reason and when it did and I
> > restarted it, I did see a shift in the time that these emails tried to go
> > out.  Instead of being deleted by my Trend filter at 3:27, the emails
> somehow
> > got deleted at 3:30.  So I wonder if this is really a program that
> executed
> > separately from exchange running all by itself, or whetther some how
> > something is actually sending out mail through exchange.  Restarting the
> > exchange process seems to have changed the time tht the mails tried to go
> > out.  I am thinking I can prove whether it is exhcnage itself or whether
> it
> > is some rogue process running all by itself.  I can turn off the exchange
> > process at say 3:00 AM and turn it back on say at 4:00 AM or even later.
> If
> > the rogue mails still try to go out, then it will prove that it really is
> a
> > program causing the mails; something like its own SMTP generator.
> > Alternatively, if the mails don't try when exchange is off, then it is
> will
> > prove that the vehicle for sending is actually exchange or soething
> > controlling exchange.  This won't help me to solve the problem actually,
> but
> > it will tell me that I am on the wrong track looking for a roque process.
> >
> > Does this make any sense?  Do you see anything in the process file data I
> > should know about?  I think in addtion to truning off exchange manually at
> > say 3 AM, I should let the batch file generate the process data, even when
> > the exchange server is off too.  So we can see what is running even when
> > exchange is not.
> >
> > I hope this makes sense to you too.
> >
> > Regards,
> >
> > "Pegasus (MVP)" wrote:
> >
> > > I attached uniq.ex, which you must rename to uniq.exe.
> > > Check your newsreader security settings - they might have
> > > detached it automatically. You could also check the
> > > Internet for download sites (if it still exists).
> > >
> > >
> > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> > > news:B552070A-B249-4789-A957-343B0CDC7092@microsoft.com...
> > > > Dear Pegasus:
> > > >
> > > > Had you intended to provide a file named uniq.exe?  I do not see any
> way
> > > to
> > > > get it from your last correspondence.
> > > >
> > > > Thanks,
> > > >
> > > > Rich
> > > >
> > > > "Pegasus (MVP)" wrote:
> > > >
> > > > > Output from pulist.exe might differ from one moment to the next
> > > > > for two reasons:
> > > > > - Some processes might be duplicated
> > > > > - Processes might get different process numbers
> > > > > - Processes might be listed in a different order.
> > > > >
> > > > > You can avoid these problems by using this batch file instead:
> > > > >
> > > > > Line1 @echo off
> > > > > Line2 cd /d c:\PCCrap
> > > > > Line3 for /L %%a in (1,1,200) do call :Sub %%a
> > > > > Line4 goto :eof
> > > > > Line5
> > > > > Line6 :Sub
> > > > > Line7 if exist temp.txt del temp.txt
> > > > > Line8 for /F %%a in ('"c:\program files\resource kit\pulist" ^|
> sort')
> > > do
> > > > > echo %%a >> temp.txt
> > > > > Line9 type temp.txt | uniq.exe > Tasks%1.log
> > > > > Line10 ping localhost -n 2 > nul
> > > > >
> > > > > Note the sequence of quotes in Line 8:  ( ' ", then  ' ).
> > > > > I attach a copy of uniq.ex for your convenience.
> > > > >
> > > > >
> > > > > "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in
> message
> > > > > news:AEBFBE4C-F05B-49B5-A9D4-A1CDD6177977@microsoft.com...
> > > > > > Dear Pegasus:
> > > > > >
> > > > > > OK.  I edited the origianl batch file and changed the delay value
> to
> > > 2.
> > > > > > That slowed thing down as expected.  I then changed the value of
> the
> > > > > nu,ber
> > > > > > of samples, reducing it from 1200.  But I decided ona a value of
> 200
> > > > > because
> > > > > > for some reason last night the bogus emails tried to go out at
> 3:30 AM
> > > > > > instead of 3:27 AM  The value of 200 samples was well over 5
> minutes
> > > with
> > > > > the
> > > > > > delay set to 2, so I think this will be a happy compromise.  I
> then
> > > > > created a
> > > > > > new batch file to test for the differences.  Since your batch file
> > > > > required a
> > > > > > keystroke for every comparison, I changed it a little bit to look
> at
> > > all
> > > > > the
> > > > > > differences and then pause at the end.  It is now written (called
> > > > > > deltacrap.bat or something like that) as follows:
> > > > > >
> > > > > > @echo off
> > > > > > cd /d c:\crap
> > > > > > for /L %%a in (2,1,200) do fc tasks1.log tasks%%a.log | find /i
> "No
> > > > > > differences" > nul || (echo File tasks%%a.log is different!)
> > > > > > pause
> > > > > >
> > > > > > It seems to work just fine.  However it has shown every new log
> file
> > > to be
> > > > > > different.   So I was worried that the batch file was defective.
> It
> > > > > really
> > > > > > isn't.  The plain fact is when I went to check, in fact every log
> file
> > > was
> > > > > a
> > > > > > little bit different.  Different tasks were running at all those
> > > different
> > > > > > times.  So it is working, but not very useful.  But since I get a
> time
> > > > > stamp
> > > > > > for the deleted email attempts by the rogue process, I think I
> will
> > > first
> > > > > > find out when Trend deleted the email attempts, go back a minute
> or so
> > > and
> > > > > > manually look at the log files to see what processes were running
> for
> > > a
> > > > > > minute or two.  Either that or I can edit the batch file as needed
> and
> > > > > change
> > > > > > the log file to which I should compare to and look differentially
> from
> > > > > that
> > > > > > log forward.   Otherwise the only other option would be to make a
> > > batch
> > > > > file
> > > > > > that spells out what the differences are between on log file and
> the
> > > next.
> > > > > > This would be real work.
> > > > > >
> > > > > > Thanks again Pegasus.  I really appreciate what you are doing to
> help.
> > > I
> > > > > > will give you a dump tomorrow as to the results.  I have two
> Microsoft
> > > > > Tech
> > > > > > sessions to attend tomorrow in the AM and a TS2 or two in the
> > > afternoon.
> > > > > So
> > > > > > I wil be in Microsoft training all day tomorrow, but I will dump
> the
> > > > > results
> > > > > > tomorrow night.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Rich
> > > > > >
> > > > > > "Rich Farkas" wrote:
> > > > > >
> > > > > > > Dear Pegasus:
> > > > > > >
> > > > > > > That is a great idea.  I will run and debug that batch file you
> > > provided
> > > > > and
> > > > > > > see if it yields anything for this trial run of 1200 files.  I
> also
> > > will

"Andrew Morton" wrote:

> Rich Farkas wrote:
> > I am running a SBS 2003 server.  At exactly 3:27 AM every morning,
> > some process is trying to send out mail both to me and others.  The
> > lsit of others is always the same and I am thinking that some email
> > came in with soem infection attached.
>
> Does the content of the e-mail suggest its source? Does "the list of others"
> have any significance - for example all valid e-mail addresses at your
> company or apparently random addresses?
>
> Andrew
>
>
>

"Andrew Morton" wrote:

> Rich Farkas wrote:
> > I am running a SBS 2003 server.  At exactly 3:27 AM every morning,
> > some process is trying to send out mail both to me and others.  The
> > lsit of others is always the same and I am thinking that some email
> > came in with soem infection attached.
>
> Does the content of the e-mail suggest its source? Does "the list of
> others"
> have any significance - for example all valid e-mail addresses at your
> company or apparently random addresses?
>
> Andrew
>
>
>

"Todd J Heron" wrote:

> Sounds like the email addresses are being spoofed - they only look like they
> are coming from your mail server when in fact they are not.  Many worms do
> this.  They are viruses which attack the address book of the PC (in this
> case the users on your listserv who have people in your company in their
> address book) and send email out to other people (trying to infect them)
> using the return address of the people in the address book.  It's quite
> clever actually but very malicious.  You may see NDRs sent back to your
> system.  Your server and internal clients may be clean.  Only way to stop
> this is to implement an anti-spam solution.  This is my guess on your
> situation.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
> "Rich Farkas" <RichFar***@discussions.microsoft.com> wrote in message
> news:0CFBB313-9B4C-442B-863B-F3A11F12E4F4@microsoft.com...
> Dear Andrew-
>
> This whole mess started when an eamil came into a user account by mistake.
> We use the typical format of first intitial and last n***@domain.com for
> user
> email addtresses.  This server is located in the midwest.  The emails came
> form a list of people (not a listserver) in the state of Washington, one of
> whom who has the same first intial and last name as one of our users.
> However they of course do not have the same domain.  One of our users, the
> same one with the similar first intial and last name is set up to POP email
> from his personal ISP, in addition to getting his mail from the Exchange
> server.  Somehow an email intended for this group of individuals came in to
> his Outlook client through a simple yyping error and somehow seems to have
> screwed up the exchange server now.  The users name has been removed form
> the
> list.  The individuals on the list admit that they did have a problem with
> viruses on their stand alone personal PCs, but no longer have it.  We
> however
> still have the problem on the exchange server (we think).  Does that make
> sense?  Oh, let me add that what ever this thing is, it never has seemingly
> tried to attack any other email addtresses from the address lsit of the user
> that got the unintended source or any other address lists on the server.
>
> Rich
>
> "Andrew Morton" wrote:
>
> > Rich Farkas wrote:
> > > I am running a SBS 2003 server.  At exactly 3:27 AM every morning,
> > > some process is trying to send out mail both to me and others.  The
> > > lsit of others is always the same and I am thinking that some email
> > > came in with soem infection attached.
> >
> > Does the content of the e-mail suggest its source? Does "the list of
> > others"
> > have any significance - for example all valid e-mail addresses at your
> > company or apparently random addresses?
> >
> > Andrew
> >
> >
> >
>
>